Analecta Cyber Company Blog: Where Does Your Company Fit in Critical Infrastructure?


Where Does Your Company Fit in Critical Infrastructure?

critical infrastructure power lines graphic - Analecta LLC Where does your company fit in critical infrastructure banner - Analecta LLC Small and medium-sized businesses (SMBs) play a significant role in not only our nation’s economy but also the personal lives of those in the community. Many of these SMBs make up portions of the U.S. critical infrastructure. The NIST cybersecurity framework charges companies with the task of understanding where their organization fits within its environment to better inform cybersecurity and risk management decisions. Specifically, organizations need to:
  1. Know if and how they fit into the nation’s critical infrastructure
  2. Identify the specific industry sector relevant to their organization
  3. Communicate this information to the decision makers within the organization

What is critical infrastructure? 

When considering critical infrastructure, a few things may come to mind: power grids, the stock market, national defense, disaster relief, etc. However, critical infrastructure also includes essential systems, functions or services that are considered vital to the nation such that any disruption or destruction would have a debilitating effect on national economic security, national public health/safety, and any combination of these.

The Department of Homeland Security (DHS) is the government body charged with managing the concept of critical infrastructure as a whole. In turn, U.S. critical infrastructure is further divided into 16 different sectors based on function:

The DHS is the sector-specific advisor for the following U.S. sectors:
1. Chemical 
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Emergency Services
7. Information Technology
8. Nuclear Reactors, Materials, and Waste
These sectors are co-managed by DHS or by other sector-specific advisors:
9. Transportation Systems: DHS and Department of Transportation (DoT)
10. Government Facilities: DHS and General Services Administration (GSA)
11. Defense Industrial Base: Department of Defense (DoD)
12. Energy: Department of Energy (DoE)
13. Financial Services: Department of the Treasury (DOTR)
14. Food and Agriculture: DHS and U.S. Department of Agriculture (USDA)
15. Healthcare and Public Health: Department of Health and Human Services (HHS)
16. Water and Wastewater Systems: Environmental Protection Agency (EPA)
Most people may not consider retail as critical infrastructure…

"In the past we hadn't necessarily viewed retail as a critical infrastructure per se, but in the aftermath of some very noteworthy cyber breaches such as the Target breach in 2013, we realized that the retail sector is a critical part of our economy and therefore needs to be included in that critical infrastructure."

Gregory Touhill 
Deputy Assistant Secretary for Cybersecurity Operations; DHS 
Critical Infrastructure Threats and Defenses Evolve Together, Federal Times July 11, 2016

Where do you fit within the 16 sectors? 

According to the U.S. Chamber of Commerce, 85% of our nation’s critical infrastructure is owned or operated by members of the private sector. Understanding that your industry is a component of the nation’s critical infrastructure may be straightforward. Identifying exactly where your business has an impact on critical infrastructure is somewhat more challenging.

Explore the different critical infrastructures outlined by Presidential Policy Directive 21 (PPD-21) as explained by DHS. Each individual sector is displayed with an overview, the sector-specific plan for the risk landscape and resources or contact information. Some of these resources have cybersecurity-specific applications. For example, the Transportation Systems sector has information spelling out guidance on how to apply the NIST cybersecurity framework to that specific industry.

critical infrastructure power lines graphic - Analecta LLC

Asking some tough questions

If you are still having trouble seeing exactly where you fit, even though your industry is included in critical infrastructure, try this: visualize the impact of a major power outage due to a sophisticated cyber attack. Can you readily imagine a scenario similar to that but involving your own business?
  • If you are an SMB in the healthcare industry, such as a family medical practice in a small town, what would the impact be if hackers were able to breach your systems?
  • Are you tied into a regional health network where they would be able to bring down systems?
  • What if your company is a small investment firm?
  • Are you a contractor for a local wastewater treatment plant?
  • Are you a subcontractor for a state-wide communications provider?
All of these company types involve critical services. If taken down by a cybersecurity threat or a system breach, your company's services may have a detrimental impact on the nation. Take the time to understand where your company fits into critical infrastructure and make sure your risk assessment and recovery plan addresses this component.

Keeping everyone on the same page

Communication is a key business skill, and it is especially important to keep everyone involved and informed when it comes to protecting critical infrastructure.
  • Once you identify which sector your organization belongs, get involved with other businesses within the same sector. Analecta’s Collaborating with Threat Sharing Groups discusses types of information sharing and analysis organizations based on industry-specific companies.
  • In addition to private sector threat sharing groups, get involved with public sector points of contact to ensure you have the most current threat picture. DHS National Cybersecurity and Communications Integration Center is a good place to start because of the central role DHS plays in managing critical infrastructure.
  • Make sure your employees understand that they are a part of the process to keep critical infrastructure protected and working as designed. Well-informed employees will work more in line with your mission or objectives.
  • Share the information gained from the information sharing and analysis organizations and government resources to empower your employees. Hold round-table discussions or focus groups to encourage innovative ideas about improving cybersecurity. 

Stay Informed!

The NIST Small Business Cybersecurity Act recently became a public law in August 2018. This law requires NIST to keep small businesses in mind when it develops guidelines or procedures to reduce cyber risks to critical infrastructure. The world of cybersecurity is constantly changing, and it pays to be “in-the-know” with the latest cybersecurity strategies and regulations.

We can help your business stay current on important topics that can keep your business more secure.  Send us an email us at or visit the Cybersecurity page on our website. We are here to help!

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.

Further Resources

No comments :

Post a Comment