Modern society depends on critical infrastructure facilities, such as transportation networks, telecommunications, water utilities and power plants, that are central not only to daily life, but also to national security. Most of this infrastructure is operated by private companies. Yet because many of these facilities deliver a public good, how their operators implement cybersecurity is a public policy matter.
DHS has designated 17 industries/sectors as critical infrastructure: chemicals; commercial facilities; communications; critical manufacturing; dams; defense industry; election systems; emergency services; energy sector; financial services; food and agriculture; government facilities; healthcare; information technology; nuclear energy; transportation; and water and wastewater.
Connecticut’s Public Utilities Regulatory Authority published a report documenting a series of recommendations for utilities including, but not limited to, setting security performance criteria, identifying reporting goals and standards, sharing information and best practices. The New Jersey Board of Public Utilities adopted requirements that include conducting risk assessments, reporting cyber incidents to the state’s integration center, creating incident response plans and others.
The defense industry, chemical facilities, the nuclear power industry and certain components of the electric grid are subject to strict federal cybersecurity standards. The finance, healthcare, and telecommunication sectors are subject to less stringent cybersecurity regulation.