Critical Infrastructure & Managing Risk

Taken together, urbanization and digitization have led to the creation of systems that have made nations and individuals dependent on them for their daily activities.

This dependency is magnified whenever a major disruption occurs, as economies and lives are significantly impacted. The news is littered with examples of such events like war, climatic disasters, cyber-attacks, and human errors that have impaired the functioning of utilities, telecommunications, transportation and other systems that caused much stress to people's way of life by threatening their stability and security.

Governments around the world have become cognizant of the need to properly manage and secure these systems that are vital for the wellbeing of their citizens. The term "critical infrastructure" is used to define these systems whose disruption, whether caused by nature or man-made, can affect the economic and social stability of a country.

What is critical infrastructure?

Critical infrastructure is defined in the USA Patriot Act as systems and assets, whether physical or virtual, "so vital" to the United States that "their incapacity or destruction would have a debilitating impact on:

• National security
• National economic security
• National public health or safety
• Any combination of those matters

Critical infrastructure can be owned by the government, public agencies, or private entities - often, supported by a combination of stakeholders. Because of their significance, this infrastructure requires a substantive level of oversight to ensure operations run smoothly and securely.

(Related reading: IT infrastructure & infrastructure security.)

Critical infrastructure sectors

There are 16 critical infrastructure sectors mapped by CISA whose incapacitation or destruction would have a debilitating effect on one or a combination of security, national economic security, national public health or safety.

Let's take a brief look at each of the 16 sectors.

Chemical sector

This sector covers the end-to-end supply chain of:

• Agricultural chemicals
• Basic chemicals
• Specialty chemicals
• Consumer products

The manufacturing and distribution facilities are designated as critical infrastructure because the impairment of these facilities can be hazardous to the public, and because it can affect manufacturing and other sectors that requires such chemicals and associate products in their operations.

Commercial facilities sector

This sector covers the diverse range of public and private venues that draw large crowds of people for shopping, business, entertainment, or lodging. These include stadia, malls, amusement parks, hotels and resorts among others.

Disruption of such facilities especially when major events are taking place can impact economic stability and the wellbeing of citizens.

Communications sector

This sector is composed of telecommunications (telco) systems including terrestrial, satellite, and wireless transmission systems. They are considered as enablers for all the other sectors since they facilitate transfer of data and information required for operational activities.

Disruption to communication systems has a major impact in the information age since most people are heavily dependent on smart phones and computing systems for their day-to-day activities.

(Learn how resilient digital systems can power stronger connections.)

Critical manufacturing sector

This sector covers the manufacturing of primary metals, machinery, electrical equipment, and transportation equipment.

Because other sectors depend heavily on inputs from this sector, a supply chain disruption - even a minor one - can significantly impair essential parts of the national and global economy.

Dams sector

This sector covers the large man-made water bodies that are essential for the provision of:

• Clean drinking water
• Irrigation
• Hydroelectric power generation
• Wastewater management

A disruption in a dam can be extremely hazardous for the wellbeing of citizens who are located downstream, as well as those dependent on the supply of water and electricity.

Defense Industrial Base (DIB) sector

The DIB sector covers the massive supply chain that provides goods and services for the military. The disruption of subcontractors can negatively affect efforts to keep the peace globally which is essential for other critical infrastructure sectors to operate.

Emergency services sector

The emergency services sector includes police, ambulance, fire departments, and other emergency response entities, whether public agencies or private entities, who:

• Perform lifesaving actions.
• Support rescue operations.
• Maintain law and order.

Energy sector

This sector covers three interrelated segments:

• Electricity
• Oil
• Natural gas

They include power plants and electricity utilities including transmission and distribution systems. These are considered enablers, as a disruption to power supply will highly impact the other critical infrastructure sectors.

Financial services sector

This sector involves public and private entities involved in large scale financial transactions such as banks, insurance, exchanges, and investment and credit service providers.

Because the economic stability of the world is so heavily linked, a disruption in the financial sector can quickly lead to major negative impact to individuals and nations alike.

(See how Splunk helps financial services build resilience.)

Food & agriculture sector

This sector includes farms and food processing facilities who produce the food and drink that supplies hotels, restaurants, institutions and homes. A disruption to the food sector can adversely affect individuals who need daily sustenance.

Government facilities sector

These facilities include buildings and associated systems that government agencies use for provision of services to citizens. Examples include offices, court rooms, prisons, embassies, and storage facilities.

Should these facilities be impaired, the government will struggle to effectively meet its mandate to its citizenry.

Healthcare & public health sector

This sector protects individuals from the negative effects of natural disasters, accidents, and other hazards such as disease and war. They include hospitals and providers of health care products. Their disruption can be a major risk to the wellbeing of citizens and the stability of a territory.

A recent example, the Covid-19 pandemic reminds us how people across the world were impacted by an infectious disease.

Information technology (IT) sector

Our dependence on technology in this information age cannot be understated. Every sector is heavily reliant on the transfer and processing of data, and computing systems are critical to day-to-day operations including work and leisure. This sector covers:

• The internet
• Associated systems including data centers, cloud systems, and major hardware and software providers

For example, the emergence of generative AI is seen as both a major benefit and risk for individuals and nation states.

Nuclear reactors, materials & waste sector

This sector involves the use of nuclear capability for energy, medical use, and military. Because of its potent capability to destroy the world as we know it, the need to secure nuclear facilities is well understood.

Transportation systems sector

The movement of people and goods across towns and territories is vital to economic and social wellbeing. This sector covers transportation facilities and systems in the air, land, and water, and includes highways, airports, pipelines, railways, and marine systems.

Disruption of this sector significantly affects the operations of almost all other sectors that depend on logistics for people and materials.

Water & wastewater systems

Clean water is essential to the wellbeing of individuals - and it's a critical ingredient in manufacturing sectors. This sector covers the facilities that process water for drinking or industrial use, including provisioning clean drinking water and processing sewerage.

Managing risks to Critical Infrastructure

Because critical infrastructure underpins the very essence of human society, ensuring its security and resilience is paramount. Any country (including its citizens) are well aware that their safety and prosperity are inherently tied to the condition of its critical infrastructure.

This fact is also known by malicious actors, who would target these systems in a bid to disrupt government by effecting threats that target these systems. Some of the threats include physical attacks and cyberattacks.

In a world where tools such as drones and exploit kits are easily accessible via the dark web and people can be easily manipulated through social engineering - the world we live in today - risks to critical infrastructure are real and potent.

Governments have taken steps to enhance the resilience of their critical infrastructure by enacting legislation that deploys security resources and directs private entities to put in place the right mechanisms to prevent any disruption and minimize the impact should it occur. Examples of such legislation include:

• The European Council Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
• The US Presidential Policy Directive (PPD) 21 that establishes national policy on critical infrastructure security and resilience.

Risk management frameworks

In order to secure critical infrastructure assets, a formal risk management frameworkis necessary. By adopting standards such as ISO 31000, organizations can:

1. Identify their critical infrastructure components and dependencies
2. Identify and analyze associated risks
3. Plan, prioritize and implement detective, preventive and corrective controls.
4. Measure the effectiveness of the mitigation actions towards reducing the probability and impact of these risks.

To deploy the right controls, organizations can also reference frameworks that provide guidance on implementing appropriate risk and security controls.

Public link

Please use the above public link if you want to share this noodl on another website.