When you buy through affiliate links in our content, we may earn a commission at no extra cost to you. Learn 
Security is an important subject that affects everyone. It’s not just about protecting yourself from hackers attempting to attack your computer or smart device or tricking you into taking the bait from a phishing email. It’s so much more than that.
It’s about protecting our Critical National Infrastructures (CNI), like water treatment facilities, nuclear power stations, and dams. A country’s CNI requires strategic planning to ensure a robust defense to protect against natural disasters such as floods, hurricanes, earthquakes, tsunamis, and thunderstorms – unnatural disasters like arson and cyber attacks from a nation-state threat actor, hacktivist, or cybercriminal.
CNIs encompass the essential assets, systems, and networks crucial for the smooth functioning of society and the economy. These elements are of utmost importance and warrant special protection; incapacity or destruction would have severe repercussions on security, national economic stability, and public health & safety.
Protecting the Backbone of a Nation
The nature of CNI means that any threat to these sectors can have a knock-on effect with wide-reaching consequences. Protecting critical infrastructure necessitates the establishment of a national capability to identify and monitor critical elements. This capability lets us determine if the elements are under attack or impacted by destructive natural occurrences.
A proactive approach is crucial when protecting the components that comprise our critical national infrastructures, as they are the very foundation of our society.
What Is Defined as Critical Infrastructure?
The Department of Homeland Security (DHS) in America has identified approximately sixteen sectors that it considers vital or critical infrastructures.
The sectors that fall under critical infrastructure include:
- Chemical: Industries involved in the production and distribution of chemicals.
- Commercial Facilities: Businesses that provide services to the public, such as shopping malls, hotels, and sports stadiums.
- Communications: Companies that provide communication services, including telecommunications and internet service providers.
- Critical Manufacturing: Industries involved in the production of essential goods, such as medical equipment and defense-related products.
- Dams: Structures used for water storage, flood control, and power generation.
- Defense: Industries involved in national defense and military operations.
- Industrial Base: Companies that support critical infrastructure sectors through manufacturing and supply chain operations.
- Emergency Services: Organizations responsible for responding to emergencies and providing public safety.
- Energy: Industries involved in the production, distribution, and storage of energy, including electricity, oil, and gas.
- Financial Services: Institutions that provide financial services, such as banks and insurance companies.
- Food and Agriculture: Industries involved in the production, processing, and distribution of food and agricultural products.
- Government Facilities: Buildings and infrastructure used by government agencies to provide public services.
- Healthcare and Public Health: Organizations involved in healthcare services, medical research, and public health initiatives.
- Information Technology: Companies that provide IT services, software development, and data management.
- Nuclear: Industries involved in nuclear power generation and related activities.
Why Are Critical National Infrastructures So Important?
The importance of critical national infrastructures cannot be overstated. These are the sectors that house assets, systems, and networks that are crucial to a country’s functioning. Any disruption or damage to these sectors would result in catastrophic consequences.
To put CNI’s into context, think about our everyday domestic routines, things like taking a shower, the car wash, boiling a kettle, and filling up at the gas station. We don’t automatically think about water treatment facilities when using clean running water. Or the supply chain that feeds the petrol or gas station.
As mentioned, the list of CNI sectors goes much deeper than this, but these examples will help show the importance of keeping our CNI safe from attacks.
Making Sure It All Works
To further strengthen the security and resilience of critical infrastructure, collaborative efforts are undertaken by the government, and industry partners, through cyber and physical security exercises. These exercises aim to enhance the preparedness and responsiveness of all involved parties.
In the U.K., the National Protective Security Authority (NPSA) provides information, personnel, and physical security advice to the businesses and organizations which make up the U.K.’s CNI, helping to reduce its vulnerability to terrorism and other threats. It can call on resources from other government departments and agencies as well. These include MI5, the Communications-Electronics Security Group (CESG), the National Cyber Security Center (NCSC), and other government departments responsible for national infrastructure sectors.
There is an annual disaster response exercise called SIMEX (short for Simulated Exercise), which is the largest of its kind in the country. This exercise involves a range of activities, including live events, simulations, and command and control exercises, all aimed at testing disaster response plans, policies, and procedures. One important aspect of this exercise is testing critical sectors, such as finance, to assess their ability to withstand disruption and maintain operational resilience.
The U.S. conducts numerous exercises across its vast geographical expanse, tailored to each state’s specific needs. But imagine a world where disaster strikes and we are left unprepared, scrambling to protect our communities and recover from the chaos; what then? Thankfully, these exercises bring together the best minds in federal, state, local, tribal, private sector, and international partners.
One such program is the FEMA National Exercise Program (NEP), which aims to establish a consistent framework for designing, developing, conducting, evaluating, and planning exercise improvements.
Another critical exercise series is the National Level Exercise (NLE), held every two years, testing areas ranging from prevention and protection to mitigation, response, and recovery.
The Urban Shield exercise in the vibrant San Francisco Bay Area puts emergency responders to the test, pushing their limits and assessing their readiness. Then there’s the Vigilant Guard exercise series, which focuses on enhancing the coordination and response capabilities of National Guard units and their civilian partners.
These exercises are not just simulations; they are opportunities to evaluate and refine emergency response systems, fostering collaboration and preparedness among various stakeholders.?
The Private Sector
The private sector develops robust systems to effectively identify and prevent attempted cyber and physical attacks. Comprehensive tests are conducted to identify any potential weaknesses or vulnerabilities. These tests are carried out using a mixture of automated tools and skilled penetration testers who employ both technological and manual approaches. Like a determined attacker, penetration testers will often perform site visits to see how close they can get to a control system.
Industrial control systems (ICS) are crucial in controlling and managing industrial processes across manufacturing, transportation, energy, and water treatment. These systems require round-the-clock protection to ensure seamless operations and optimal performance. Supervisory control and data acquisition (SCADA) is employed to manage ICS effectively.
Government Mandate
The federal government mandates that private industries within each critical economic sector assess their potential risks to physical and virtual interruption and implement measures to eliminate vulnerabilities and prevent attacks. The federal government has played a pivotal role in facilitating the monitoring and preparation for disabling events by developing a standardized description of critical infrastructure. This standardized framework allows for a comprehensive understanding and effective management of critical infrastructure vulnerabilities.
Lastly, critical infrastructure protection necessitates the establishment of a national capability to identify and monitor the key elements of critical infrastructure. By doing so, potential threats can be promptly identified, and appropriate actions can be taken to safeguard these critical assets.
Security of Key Suppliers to the CNI
In February 2021, Oldsmar, Florida’s west coast, experienced a cyberattack on its water supply. A hacker maliciously took charge of the Industrial Control Systems (ICS) and boosted the sodium hydroxide (Lye) level to 100 times higher than usual. Lye poisoning can cause burns, vomiting, severe pain, and bleeding.
On May 7, 2021, cybercriminals seized control of the Colonial pipeline through a Ransomware attack, which temporarily halted fuel supplies, causing fuel shortages, panic buying, and lengthy queues. The Colonial Pipeline Company promptly paid the hacker group (DarkSide) a ransom of 75 bitcoin, amounting to $4.4 million, within a few hours.
As you can see, the disruption to supply chains is far from trivial. The swift ransom payment highlights the significant impact even a single disruption can have on supply chains and the broader economy.
National Infrastructure Protection Plan
Safeguarding any CNI involves having an Incident Response (IR) plan in place and an entity responsible for implementing it, that is, an organization that oversees the security of a CNI.
| 2006 | The DHS in the U.S. establishes the National Infrastructure Protection Plan (NIPPS). |
| 2007 | The U.K. establishes the Centre for the Protection of National Infrastructure (CPNI).?
(In 2023, the CPNI is replaced by the National Protective Security Authority (NPSA), which has a broader scope for security matters.) |
| 2014 | Australia establishes the Australian Cyber Security Centre (ACSC). |
| 2018 | Canada sets up the Centre for Cyber Security (CCS). |
Protecting critical infrastructure and essential resources is a collective effort, with various stakeholders playing vital roles. It’s important to note that the private sector owns around 85% of the nation’s critical infrastructure and essential resources, encompassing important sectors such as Banks and Utilities.
- Critical national infrastructure protection is not a one-time task involving a few safety controls. Instead, it is a continuous and intricate effort that demands collaboration among government agencies, industry partners, and various stakeholders.
- A recent survey conducted by Bridewell Security has revealed that cybersecurity is a significant concern for organizations overseeing critical national infrastructure. A staggering 81% of respondents expressed worry about the potential dangers of cyber warfare aimed at the United States’ critical national infrastructure.
The Bottom Line
The Florida incident has shown how damaging it can be when someone intentionally targets our vital water resources. It’s easy to forget about the ripple effects that disruptions in our supply chains, such as the recent oil pipeline incident, can have on our society. But when acts of terrorism or cyberattacks happen, we quickly realize the personal impact they can have on our lives.
We must all remain vigilant, recognize the potential for an attack or sabotage, and report anything unusual. Together, we can create a world where disaster strikes, but we are ready.
