Critical Infrastructure

Modern society depends on critical infrastructure facilities, such as transportation networks, telecommunications, water utilities and power plants, that are central not only to daily life, but also to national security. Most of this infrastructure is operated by private companies. Yet because many of these facilities deliver a public good, how their operators implement cybersecurity is a public policy matter.

DHS has designated 17 industries/sectors as critical infrastructure: chemicals; commercial facilities; communications; critical manufacturing; dams; defense industry; election systems; emergency services; energy sector; financial services; food and agriculture; government facilities; healthcare; information technology; nuclear energy; transportation; and water and wastewater.

Critical Infrastructure

A Tricky Term: Some use “critical infrastructure” to describe the 17 designated sectors, from heavy industry to banks and hospitals. However, some people use the phrase narrowly in reference only to energy production and distribution. Always clarify which one is at issue.

State Example: Public Utilities in Action

Connecticut’s Public Utilities Regulatory Authority published a report documenting a series of recommendations for utilities including, but not limited to, setting security performance criteria, identifying reporting goals and standards, sharing information and best practices. The New Jersey Board of Public Utilities adopted requirements that include conducting risk assessments, reporting cyber incidents to the state’s integration center, creating incident response plans and others.

Who regulates critical infrastructure?

The defense industry, chemical facilities, the nuclear power industry and certain components of the electric grid are subject to strict federal cybersecurity standards. The finance, healthcare, and telecommunication sectors are subject to less stringent cybersecurity regulation.

What are the primary challenges to improving security?

  1. Many industrial processes rely on operational technology (OT), which lacks built-in security features and the ability for easy upgrades.
  2. Connecting OT systems to the Internet opens the door to potential hacking.
  3. Many organizations, especially small electrical and water utilities, lack employees with a dual understanding of industrial processes and cybersecurity.
  4. Many regulators lack cybersecurity expertise.
  5. Damaging cyberattacks on critical infrastructure remain rare, reducing pressure for any major steps.
What Can Governors Do?
  • Coordinate with federal agencies and the private sector to identify the most important critical infrastructure companies and facilities within the state;
  • Organize a framework for information sharing by introducing state IT, homeland security, and emergency management officials to managers of key critical infrastructure operators (whether public or private);
  • Focus on resiliency by involving critical infrastructure companies and utilities—whether large or small, public or private—in cyber response exercises;
  • Facilitate regular contacts between critical infrastructure operators and state oversight bodies or legislators, using in-person meetings to address confidentiality concerns; and
  • Introduce legislation to protect utilities from liability or Freedom of Information Act requests for information that they share with the state.