Definition

critical infrastructure

Gavin Wright

By

Gavin Wright

What is critical infrastructure?

Critical infrastructure is the collection of systems, networks and public works that a government considers essential to its functioning and safety of its citizens. The specific infrastructure that each nation considers critical varies. It usually includes electrical grids, public services and communication systems. Special attention must be given to protect critical infrastructure from cyber attacks.

Critical infrastructure cybersecurity

Critical infrastructure is important to day-to-day life and the safety of civilians. Protecting it is becoming more and more important as malicious actors are increasingly targeting critical infrastructure. These attacks can come from ransomware gangs trying to extort money or advanced persistent threat groups attempting to disrupt another country's operations.

There have been examples where a cyber attack has impacted a nation's critical infrastructure. Smaller incidents may only leak information, as with cyberespionage. Larger attacks could severely impact operations. Attacks on hospitals have even sadly resulted in the loss of life.

Operators of critical infrastructure face many challenges when defending against cyber attacks. Security standards may have been set before cyber threats became such a large concern. They may also employ older operational technology or insecure internet of things devices. The majority of critical infrastructure is also privately held, so it may be more profit-focused and may not pay sufficient attention to security. Security teams should emphasize the financial and operational potential impact of a cyber attack to decision-makers to get additional support.

In the United States, the National Institute of Standards and Technology (NIST) provides its Cybersecurity Framework to help protect organizations from threats. NIST also provides additional resources for critical infrastructure that is specific to particular industries. For most sectors, though, following this guidance is not mandated by law.

diagram of NIST Cybersecurity Frameworks five core concepts — The NIST Cybersecurity Framework includes five core concepts around the lifecycle of cybersecurity risk.

Critical infrastructure in the United States

The United States government gives the following explanation for critical infrastructure:

There are 16 critical infrastructure sectors whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Each sector is overseen by a specific government agency. These agencies can provide sector-specific direction.

Chemical sector

Overseen by the Department of Homeland Security (DHS), it covers the manufacturing, storage, transportation and use of potentially dangerous chemicals. It includes base chemicals, specialty chemicals, agricultural chemicals and consumer products.

Commercial facilities sector

Overseen by DHS, it has eight subsectors: entertainment and media, gaming, lodging, outdoor events, public assembly, real estate, retail and sports leagues.

Communications sector

Overseen by DHS, it covers privately owned communications infrastructure, including satellite, terrestrial, wireless communications and the internet.

Critical manufacturing sector

Overseen by DHS, it includes manufacturing that has national significance. The subsectors include primary metals manufacturing; machinery manufacturing; electrical equipment, appliance and component manufacturing; and transportation equipment manufacturing.

Dams sector

Overseen by DHS, it includes water retention and control services.

Defense industrial base sector

Overseen by the Department of Defense, it includes research, design, production and maintenance of military weapons systems.

Emergency services sector

Overseen by DHS, it includes emergency management, emergency medical services, fire and rescue services, law enforcement, public works and other specialty emergency services.

Energy sector

Overseen by the Department of Energy, it covers the production and distribution of electricity, oil and natural gas.

Financial services sector

Overseen by the Department of the Treasury, it covers banks, credit unions, insurance companies and investment institutions. It protects the ability to deposit, withdraw, loan, invest and transfer funds.

Food and agriculture sector

Overseen by the Department of Agriculture and the Department of Health and Human Services (HHS), it includes farms, restaurants and food manufacturing.

Government facilities sector

Overseen by DHS and the General Services Administration, it covers federal, state, local and tribal government facilities. It includes government offices, embassies, courthouses, schools, national monuments and election facilities.

Healthcare and public health sector

Overseen by HHS, it helps to protect against infectious disease, infectious disease outbreaks and terrorism.

Information technology sector

Overseen by DHS, it produces and provides hardware, software, IT systems and services.

Nuclear reactors, materials and waste sector

Overseen by DHS, it includes nuclear power plants, medical radioactive sources and transportation of radioactive materials.

Transportation systems sector

Overseen by DHS and the Department of Transportation, it includes seven subsectors: highway and motor carrier, aviation, maritime transportation system, mass transit and passenger rail, pipeline systems, freight rail, and postal and shipping.

Water and wastewater sector

Overseen by the Environmental Protection Agency, it includes public water supplies and water treatment.

DHS manages the National Infrastructure Protection Plan (NIPP). NIPP outlines how the government and the private sector can work together to protect critical infrastructure from physical, environmental and cyber threats. It does not define any specific requirements, but instead provides instruction for collaboration and common goals.

Critical infrastructure in the European Union

In the European Union (EU), the European Programme for Critical Infrastructure Protection establishes the overall strategy to protect against terrorism and other types of attacks.

The European Commission gives the following description for critical infrastructure:

Critical infrastructure is an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behavior, may have a significant negative impact for the security of the EU and the well-being of its citizens.

The EU Agency for Cybersecurity provides guidance to critical infrastructure sectors, including information and communications technology, energy, financial, health and transportation.

Learn four steps to critical infrastructure protection readiness, and see how to create a critical infrastructure incident response plan.

This was last updated in August 2023

Continue Reading About critical infrastructure

Traditional IT vs. critical infrastructure cyber-risk assessments

Top 6 critical infrastructure cyber-risks

Interconnected critical infrastructure increases cybersecurity risk

Prepare for ransomware attacks on critical infrastructure

A look at security threats to critical infrastructure

Search Networking

What is shielded twisted pair (STP) and how does it work?
Shielded twisted pair (STP) is a kind of cable made up of smaller wires where each small pair of wires is twisted together and ...
What is ping and how does it work?
Ping (Packet Internet Groper) is a basic internet program that enables a user to test and verify if a particular destination ...
What is 1000BASE-T (Gigabit Ethernet)?
1000BASE-T is a Gigabit Ethernet standard that operates at a speed of 1 gigabit per second (Gbps) over copper wiring.

Search Security

What is a firewall and why do I need one?
A firewall is a network security device that prevents unauthorized access to a network by inspecting incoming and outgoing ...
What is risk appetite?
Risk appetite is the amount of risk an organization or investor is willing to take in pursuit of objectives it deems have value.
What is penetration testing?
A penetration test, also called a 'pen test,' is a simulated cyberattack on a computer system, network or application to identify...

Search CIO

What is compliance risk?
Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...
What is quantum entanglement and how does it work?
Quantum entanglement is a foundational phenomenon in quantum mechanics where two or more particles become interconnected in such ...
What is systems thinking?
Systems thinking is a holistic approach to analysis that focuses on the way that a system's constituent parts interrelate and how...

Search HRSoftware

What is team collaboration?
Team collaboration is a communication and project management approach that emphasizes teamwork, innovative thinking and equal ...
What is talent management? Definition, basics and strategy
Talent management is a strategic approach organizations use to attract, develop, retain, and optimize employees.
What is employee experience?
Employee experience is a worker's perception of the organization they work for during their tenure.

Search Customer Experience

What are customer service and support?
Customer service is the support organizations offer to customers before, during and after purchasing a product or service.
What is quality of experience (QoE or QoX)?
Quality of experience (QoE or QoX) is a measure of the overall level of a customer's satisfaction and experience with a product ...
What is voice of the customer? A guide to VOC Strategy
Voice of the customer (VOC) is the component of customer experience (CX) that focuses on customer needs, wants, expectations and ...

Close