Considerations for a Balanced Critical Infrastructure Security Strategy
Posted by: Christopher Warner
With the Presidential administration changeover happening soon, there has been much discussion of potential regulatory rollback, restructuring, or elimination of agencies like the Cybersecurity and Infrastructure Security Agency (CISA). Securing our nation’s critical infrastructure demands a mission-focused strategy that prioritizes public-private partnerships, embraces innovation, minimizes bureaucratic inefficiencies, and integrates OT/ICS security expertise alongside IT security.
Here is an outline of the critical infrastructure sectors and considerations for moving forward:
The 16 Critical Infrastructure Sectors:
- Chemical: Manufacturing and distribution of chemicals critical to health, life, safety, and industry.
- Commercial Facilities: Places where people gather for business, entertainment, or shopping.
- Communications: Critical telecom and internet services supporting daily operations and emergencies.
- Critical Manufacturing: Essential manufacturing for defense, energy, medicine, food, and other industries.
- Dams: Infrastructure controlling water flow, storage, and power generation.
- Defense Industrial Base: Supply chain critical to national defense.
- Emergency Services: Police, fire, and emergency medical systems.
- Energy: Production and distribution of electricity, oil, and natural gas.
- Financial Services: Banks, stock exchanges, and payment processors.
- Food and Agriculture: Farming, food production, and distribution systems.
- Government Facilities: Public services and administration at all levels.
- Healthcare and Public Health: Systems for delivering healthcare and responding to public health crises.
- Information Technology: Networks and systems enabling global communication and commerce.
- Nuclear Reactors, Materials, and Waste: Civilian nuclear facilities and materials management.
- Transportation Systems: Aviation, maritime, rail, pipelines, and highways.
- Water and Wastewater Systems: Drinking water and wastewater treatment and delivery.
A Path Forward for Private Sector Solutions
Approximately 71% of our nation’s critical infrastructure—such as power plants, water systems, emergency services, critical manufacturing of medicine, food, and supplies, as well as oil and gas operations—is managed by private organizations relying heavily on OT/ICS systems. Despite their critical importance, these systems are often overlooked in cybersecurity strategies, which predominantly focus on IT. This oversight creates a significant gap, as OT systems face distinct vulnerabilities, including safety-critical failures and prolonged downtimes, that IT-centric approaches cannot adequately address, putting public safety at risk.
To secure critical infrastructure, we need a paradigm shift that acknowledges IT and OT as interconnected components of a unified ecosystem. The convergence of these domains magnifies the risks of failing to address the OT/ICS gap, with potentially catastrophic impacts on national security and public safety.
A Balanced Strategy
While reducing regulation and restructuring agencies like CISA might lower government spending, it will also increase reliance on the private sector. A balanced approach is crucial—combining private-sector innovation with strategic government oversight to ensure long-term security and resilience.
1. Public-Private Collaboration:
- Action: Implement governance using established security frameworks that allow private sector innovation to address gaps in critical infrastructure protection while maintaining public accountability that aligns with our national security.
- Result: Maintain resilience and reduce dependency on fluctuating government resources that are not directly involved in the various private sectors operating critical infrastructure.
2. Risk-Based Approach:
- Action: Adopt standards like NIST CSF 2.0 for identifying, prioritizing, and mitigating risks with minimal regulatory burden.
- Result: Empower organizations to focus on vulnerabilities unique to their operations without being stifled by one-size-fits-all regulations. Compliance is NOT security.
3. Incentivize Private Sector Investments:
- Action: Create tax incentives, grants, and liability protections for businesses investing in cybersecurity and physical protection.
- Result: Encourage innovation and adoption of best practices without regulatory mandates.
4. Promote Resilience over Compliance:
- Action: Shift the focus from achieving compliance with standards to building robust, mission-oriented security systems.
- Result: Ensure critical infrastructure can operate through and recover from cyber and physical disruptions.
5. Enhance Information Sharing:
- Action: Strengthen trusted mechanisms for private entities to share threat intelligence without fear of legal or reputational risk.
- Result: Foster a collective defense model against sophisticated threats.
6. Leverage Emerging Technologies:
- Action: Invest in AI, machine learning, blockchain, and other technologies for predictive risk management and secure supply chains.
- Result: Future-proof critical infrastructure against evolving threats.
A Balanced Strategy
While eliminating regulation and restructuring agencies like CISA may reduce government spending, it emphasizes the private sector’s role more. A balanced approach that combines private innovation with strategic government oversight is essential to ensuring long-term security and resilience across all critical infrastructure sectors.
Christopher Warner
Senior Security Consultant - OT,
GuidePoint Security
Chris Warner has over 25 years of experience in operational technology (OT), IT, and Cyber-Physical Systems, having roles as an assessor, integrator, advisor, and thought leader across all 16 Critical Infrastructure Sectors.
Chris has significant experience leading various Information Security services, including security program reviews, governance, risk, and compliance (GRC) assessments, security program development, policy creation, and various advisory services to help organizations establish a unified view of risk.
Chris has earned a Master of Business Administration (MBA e-business), a Master of Arts in Organizational Management, a Bachelor of Science in Business Management, an Associate in Avionics Engineering and the OPSWAT OT Security Expert Certification. Additionally, Chris is a USAF, Disabled Veteran, a veteran member of InfraGard, and has held Tier 5 Top Secret/SCI/Q/Polygraph with Lifestyle clearances. Currently, Chris holds a Secret Clearance with the FBI and CISA.