Securing Critical Infrastructure: An Imperative for Supply Chain Risk Management
What is Critical Infrastructure?
The term critical infrastructure is defined in the USA PATRIOT ACT as the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Any incident impacting critical infrastructure can cause ripple effects well beyond that impacted business. For example, the shutdown of NordStream 1, critical infrastructure in Europe, on September 2, 2022, impacted supply chains across several critical infrastructure industries — shutting down fertilizer plants, cutting steel supplies and impacting global shipping prices. And in order to function, critical infrastructure companies are reliant on a web of third-party entities that introduce ongoing risk to their supply chain.
Critical infrastructure includes energy, water, chemicals, nuclear facilities and the Defense Industrial Base. IT companies and cloud service providers are other vital critical infrastructure that face supply chain threats and physical interruptions that could have cascading impacts.
To secure critical infrastructure, identifying and remediating risks across sectors is paramount. As digitalization and interconnectivity continue to intensify, mitigating supply chain risk across critical infrastructure sectors is crucial for the health, safety and well-being of communities, and even more so for collective national security.
Defining Critical Infrastructure Sectors
The U.S. government has traditionally framed critical infrastructure within 16 sectors. Businesses operating in each of those sectors are considered to be part of critical infrastructure.
In the United States, critical infrastructure sectors are defined by Presidential Policy Directive 21 (PPD-21), and work to manage risk associated with them is coordinated by the United States Department of Homeland Security (DHS) via the Cybersecurity & Infrastructure Security Agency (CISA). The NIST Cybersecurity Framework established a risk mitigation approach that critical infrastructure entities should use for managing cyber risks.
In Europe, the European Programme for Critical Infrastructure Protection (EPCIP) defines critical infrastructure sectors based on EU COM(2006) 786. And in the United Kingdom, the Centre for the Protection of National Infrastructure (CPNI) oversees critical infrastructure policy and preparedness.
Across the Organization of Economic Coordination and Development members, most countries generally agree on many of the same sectors, policies and loose frameworks — despite divergent assets and an ever-evolving landscape of regulatory requirements.
The 16 Sectors that Make Up U.S. Critical Infrastructure
The National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resilience (NIPP 2013) lays out a largely voluntary, collaborative approach to managing critical infrastructure risk, which is augmented through certain sector-specific regulations. Demonstrating commitment to security of critical infrastructure is crucial for businesses operating in the 16 sectors.
Over the past few years, each of these sectors have been impacted by supply chain failures, cyber attacks, severe weather and geopolitical risks. From the Colonial pipeline attack to a Florida water treatment plant hack that threatened clean drinking water, the need to bolster security and mitigate risk in these sectors is vital.
All of these sectors are interconnected, and all of them have a global supply chain presence. As noted by the World Economic Forum, cellular base stations — which are critical infrastructure assets — are often only protected by generators capable of supplying power during a blackout for a single day.
Given the tight margins telecommunication companies operate under, government entities are wary of forcing regulatory purchases. But these blackouts would impact chemicals, energy, defense, healthcare and virtually every other critical infrastructure sector.
CISA’s Plans for the 16 U.S. Critical Infrastructure Sectors
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
The Significance of Systemically Important Critical Infrastructure
Kolasky believes it important to prioritize systemically important critical infrastructure that enable “lifeline functions” — things like communications, transportation, electricity, water and other essential infrastructure. Since communities rely on this systemically important critical infrastructure on a daily basis, particularly for communications, electricity and banking, disruptions can have cascading impacts across communities and a real-world impact.
“When we start to think about systemically important infrastructure, we recognize that it’s the hardware, software and control systems that enable infrastructure to function. They also hold some systemic importance because there could be systemic vulnerabilities if they’re exploited,” says Kolasky.
For example, satellite communications and position navigation timing services are important across infrastructure sectors, so an attack on the GPS system or satellite communications would cascade across multiple infrastructure sectors and have a systemic impact. By prioritizing and making sure that those services are protected, companies can minimize the consequences of loss of operations when incidents happen.
The US Cyberspace Solarium suggests these systemically important critical infrastructures should receive special assistance from the federal government in return for shouldering responsibility for additional security, risk management and information-sharing.
In practice, efforts to protect systemically important critical infrastructure require intense collaboration between public and private entities. Government assistance would help to solidify these systems and assets, while also rewarding the information-sharing necessary for a collaborative public-private ecosystem.
Increased globalization, unwieldy supply chains and the high level of interconnectedness present a major challenge for securing critical infrastructure sectors. To truly identify and remediate risk across every supply chain node, AI and deep learning need to be applied at scale.
It’s important to recognize that even if you’re good at what you’re doing on your own systems, there’s still some inherent risk by who you do business with, and managing that risk is important.”
Address Risk to Critical Infrastructure
Intensified political tensions, trade disputes, natural disasters, terrorist attacks, digital threat actors and complex supply chains threaten critical infrastructure. Disruption is no longer a remote possibility; it is inevitable.
Often, organizations operating critical infrastructure have put significant resources into building system resilience at the core of their operations. But downstream suppliers and supply chain nodes can harbor hidden risks and vulnerabilities. To secure critical infrastructure, organizations should prepare for disruption by focusing on how to adequately assess and respond to risks across every node in their supply chain.
Identify Critical Risks in Your Supply Chain with Exiger
Public and private entities need to build supply chain security and resilience to combat today’s complex threat landscape. All organizations operating in critical infrastructure sectors should be cognizant of the ongoing supply chain threats that surround them daily, and they should have the tools and technology to identify, quantify and remediate those risks.
Exiger is at the forefront of supply chain risk management for critical infrastructure sectors, arming government entities and Fortune 250 companies with the intelligence to detect, quantify and mitigate risk. Supply Chain Explorer can rapidly detect threats across every supplier in your ecosystem.
Our DDIQ platform uses AI and natural language processing to detect virtually any type of disruption in the larger global ecosystem. Each risk situation is easily digestible, highly relevant and customized to your needs.
To learn how Exiger can help you align with CISA, NIST and sector-specific guidance for supply chain risk management, contact us.
Expert-Backed, Technology-Powered Risk Management
Discover how Exiger’s award-winning, AI-powered technology is changing the way critical infrastructure stakeholders manage risk.
Third Party Risk Management
Supply Chain Risk Management
A clear and dynamic view of supply chain risk
Supply Chain Management
End-to-end supply chain visibility