In our volatile and rapidly evolving world, the security and resilience of critical infrastructure have become paramount. Nation-states and other malicious actors are increasingly targeting critical infrastructure to spread fear and panic or as a stealth target in kinetic conflicts, making headlines frequently.
The U.S. Department of Homeland Security (DHS) has just released a comprehensive strategic guidance document detailing national priorities for critical infrastructure security and resilience for 2024-2025. This initiative aims to bolster the nation’s defenses against a spectrum of threats, including cyberattacks and climate change.
This article will break down the key elements of this strategic guidance, offering an in-depth look at the five priority risk areas and the strategies designed to address them.
Enhancing U.S Critical Infrastructure Security
The strategic guidance underscores the importance of protecting critical infrastructure systems such as energy grids, water systems, transportation networks, healthcare facilities, and communication networks. These systems are integral to public safety, economic stability, and national security, making them prime targets for cyberattacks, physical sabotage, and natural disasters.
Priority Risk Areas for U.S Critical Infrastructure Security
The guidance identifies five key risk areas requiring immediate attention:
- Addressing Cyber and Other Threats Posed by the People’s Republic of China (PRC)
- Managing Risks and Opportunities from Artificial Intelligence (AI) and Emerging Technologies
- Identifying and Mitigating Supply Chain Vulnerabilities
- Incorporating Climate Risks into Sector Resilience Efforts
- Addressing Growing Dependency on Space Systems and Assets
Each area is examined in detail, highlighting the challenges and strategic approaches necessary to mitigate these risks.
Addressing Cyber and Other Threats Posed by the PRC
The PRC is notably the first threat mentioned in the guidance, indicating that China is now considered the top state actor targeting U.S. critical infrastructure. The U.S. Intelligence Community has highlighted the PRC’s capabilities to launch cyberattacks on critical infrastructure, aiming to disrupt key systems and achieve strategic objectives. The strategic guidance stresses coordinated efforts among DHS, Sector Risk Management Agencies (SRMAs), state and local governments, and private sector partners to develop effective mitigation strategies.
Operational Collaboration
Efforts to enhance operational collaboration include:
- Timely and Actionable Intelligence: Utilizing intelligence to craft mitigation strategies.
- Cross-Sector Risk Management: Supporting resilience efforts across critical sectors.
- Enhanced Information Sharing: Strengthening two-way information sharing within the critical infrastructure community.
Managing Risks from Artificial Intelligence and Emerging Technologies
Takepoint Research has been actively monitoring the dual impacts of AI and emerging technologies on industrial cybersecurity, noting both opportunities and risks. AI’s role in cybersecurity is complex, with potential to both enhance and threaten critical infrastructure security.
AI holds substantial promise for enhancing cybersecurity measures. It facilitates real-time threat detection and response, streamlines repetitive tasks, and offers predictive insights to preempt potential attacks. For example, AI’s capability to process extensive network traffic data allows it to detect anomalies that may signify security breaches, thereby enabling more rapid and effective countermeasures.
Nevertheless, the integration of AI into cybersecurity is a double-edged sword. Cybercriminals are leveraging AI to craft advanced attack techniques, including AI-driven malware and sophisticated phishing schemes. Generative AI technologies can produce highly convincing deepfakes and automate social engineering attacks, increasing their stealth and complexity. The proliferation of AI-powered tools on the dark web and the potential surge in AI-driven vishing (voice phishing) attacks are pressing concerns for cybersecurity professionals.
In light of these developments, the strategic guidance under Executive Order 14110 emphasizes proactive measures to ensure the safe, secure, and trustworthy development and use of AI.
Key Measures
- AI Risk Assessments: Conducting annual AI risk assessments for critical infrastructure.
- Safety and Security Guidelines: Integrating DHS guidelines into sector-specific risk management plans.
- Technology-Informed Risk Mitigation Tools: Leveraging AI and other technologies to enhance security.
Mitigating Supply Chain Vulnerabilities in U.S Critical Infrastructure Security
The resilience of supply chains has become a national security priority, especially after the COVID-19 pandemic exposed vulnerabilities in offshoring critical supply chains. Adding to these concerns is the threat posed by the Houthi rebels in Yemen targeting international shipping routes, which has further highlighted the fragility of global supply chains. The strategic guidance outlines steps to identify and mitigate supply chain vulnerabilities.
Critical Actions
- Visibility into Shared Risks: Expanding visibility into systemic risks.
- Supply Chain Resilience Center: Coordinating efforts to assess and mitigate potential disruptions.
- Rebuilding American Supply Chains: Strengthening resilient American supply chains, as initiated by Executive Order 14017.
Addressing Dependency on Space Systems
Critical infrastructure increasingly depends on space-based services such as GPS and satellite communications. This reliance introduces new risks, including cyberattacks, across many critical infrastructure sectors and beyond. The strategic guidance emphasizes assessing and mitigating these space-related risks.
Mitigation Strategies to ensure U.S Critical Infrastructure Security
- Protecting Space Systems: Developing plans to secure space-related infrastructure.
- Assessing Reliance on Space Services: Understanding dependencies and potential cascading impacts.
Priority Risk Mitigations
To address these risks, the strategic guidance outlines several all-hazards priority risk mitigations:
- Building Resilience to Withstand and Recover Rapidly from All Threats and Hazards: Building resilience involves developing systems and infrastructure capable of resisting and recovering from a wide range of threats and hazards, including natural disasters, cyber-attacks, and other man-made disruptions. Industrial Cybersecurity best practices emphasize the importance of resilience in ensuring the continuous delivery of essential services. This approach includes designing redundancy into critical systems, employing robust disaster recovery plans, and conducting regular resilience testing to identify and address vulnerabilities.
- Adopting Security and Resilience Baseline Requirements: Establishing baseline requirements for security and resilience is a fundamental step in mitigating risks across critical infrastructure. Best practices indicate these baseline requirements should encompass both cybersecurity measures and all-hazards controls. This involves setting minimum standards for protection against cyber threats, physical attacks, and other potential disruptions. For example, implementing multi-factor authentication, regular patching of software, and physical security measures such as surveillance and access controls can significantly reduce vulnerabilities.
- Incentivizing Service Providers to Drive Down Risk at Scale: Encouraging vendors and OEMs to adopt secure-by-design principles is essential for reducing risks across the supply chain. Incentives can include regulatory benefits, financial rewards, or public recognition for companies that prioritize security and resilience in their offerings. By promoting secure design practices, organizations can ensure that their products and services are more resistant to both cyber and physical threats from the outset.
- Identifying Areas of Concentrated Risk and Systemically Important Entities: Prioritizing risk mitigation efforts for areas of concentrated risk and systemically important entities is critical for national and global security. Best practices include conducting thorough risk assessments to identify these high-risk areas and entities. This process involves mapping out critical dependencies, analyzing potential impact scenarios, and developing targeted mitigation strategies. For instance, power grids and healthcare systems often fall into this category and require specialized protection measures to ensure their continued operation during a crisis.
The strategic guidance from DHS offers a comprehensive framework to bolster U.S Critical Infrastructure Security and resilience against a wide array of threats, ensuring the nation is well-prepared for future challenges. This approach is worth examining closely, as it may offer benefits across a broader range of industries.
