Full Report
The U.S. has a strategic defense plan and multiple layers of defense for critical infrastructure, but significant gaps remain. This post outlines the critical and non-critical infrastructure sectors and how the U.S. secures these systems.
Analysis Summary
# Best Practices: Defending Critical Infrastructure from Cyber and Other Threats
## Overview
These practices outline the context, dependencies, and governance mandates surrounding the defense of the 16 critical infrastructure sectors defined by the U.S. Department of Homeland Security (DHS). The primary focus is recognizing the interconnectedness of foundational sectors (Energy, Communications, Water, Transportation) and the importance of a holistic risk-based approach, moving beyond just cyberattacks to include physical threats and natural disasters.
## Key Recommendations
### Immediate Actions
1. **Acknowledge Sectoral Interdependencies:** Immediately map critical dependencies between your operational systems and the four foundational sectors: Energy, Communications, Water, and Transportation, as a failure in one can cascade across others.
2. **Review NSM-22 Alignment:** Review internal security policies against the principles mandated by the National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22), emphasizing shared responsibility.
### Short-term Improvements (1-3 months)
1. **Develop Cross-Sector Contact Matrices:** Establish and test communication protocols with key partners and Sector Specific Agencies (SSAs) relevant to your sector to ensure coordination during disruptions.
2. **Identify and Secure Subsystems:** Conduct an inventory of all subsystems/assets within your infrastructure, documenting their specific dependencies (e.g., for Water: identifying energy sources for pumping, communication links for monitoring).
3. **Enhance Threat Monitoring Scope:** Update threat monitoring capabilities to look beyond purely cyberattacks and include indicators related to physical security (e.g., terrorism, infrastructure sabotage).
### Long-term Strategy (3+ months)
1. **Establish Risk Management Planning:** Develop or update a dedicated Infrastructure Risk Management Plan emphasizing a risk-based approach, treating inherited risks arising from sector dependencies as primary security challenges.
2. **Integrate Non-Cyber Risk Assessment:** Formalize processes to regularly evaluate, document, and mitigate risks stemming from natural disasters and physical terrorism alongside cyber threats.
3. **Invest in Resilience Training:** Conduct integrated tabletop exercises simulating incidents that involve multiple failure points across cyber, physical, and supply chain vectors (e.g., a ransomware attack impacting fuel logistics).
## Implementation Guidance
### For Small Organizations
* **Focus on Foundational Reliance:** Specifically identify which of the four foundational sectors (Energy, Comms, Water, Transport) your immediate operational capability relies upon, and secure those external connections first.
* **Leverage Public Resources:** Utilize CISA guidelines tailored toward smaller entities for foundational security controls, as full compliance with enterprise-level mandates may be resource-prohibitive initially.
### For Medium Organizations
* **Formalize Dependency Documentation:** Create detailed architecture diagrams that clearly illustrate system flows and external dependencies across sector lines.
* **Develop Initial Risk Register:** Begin building a comprehensive risk register that explicitly scores risks based on cascading consequences across other interconnected sectors.
### For Large Enterprises
* **Lead Risk Management Plan Development:** Take a proactive role in developing and potentially sharing successful component strategies within the formal risk management plan mandated by NSM-22.
* **Invest in Cross-Sector Security Teams:** Establish dedicated teams responsible for managing security across the complex interfaces connecting internal operational technology (OT) with external IT and vendor ecosystems.
* **Implement Robust Supply Chain Risk Management:** Given the supply chain vulnerability highlighted by incidents like Colonial Pipeline, institute stringent security vetting for all third-party vendors providing energy, communications, or specialized functional chemicals/materials.
## Configuration Examples
*Specific technical configurations were not detailed in the provided text; however, the guidance points toward ensuring **monitoring systems** (e.g., SCADA/ICS communication channels) are prioritized for security hardening and segmented from less trusted networks.*
## Compliance Alignment
The recommendations directly align with the requirements being developed under the direction of:
* **National Security Memorandum (NSM-22):** Mandating the National Infrastructure Risk Management Plan.
* **CISA Directives:** Focused on managing and reducing national-level risks across critical infrastructure sectors.
## Common Pitfalls to Avoid
* **Treating Cyber and Physical Risks in Silos:** Assuming security efforts focused solely on digital threats are sufficient when dealing with critical infrastructure.
* **Ignoring Upstream/Downstream Failures:** Overlooking vulnerabilities in external partners or customers within interconnected sectors (e.g., focusing only on internal water treatment without considering external energy supply stability).
* **Passive Compliance:** Waiting only for formal federal plans to be fully drafted before beginning to address interdependency risk management.
## Resources
* National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) (Search terms provided in the text)
* CISA - National Security Memorandum on Critical Infrastructure Security and Resilience (Search terms provided in the text)
* Critical Infrastructure Sectors List (DHS resources) (Search terms provided in the text)
* Critical Infrastructure Systems Documentation (CISA resources) (Search terms provided in the text)