January 7, 2025

With the Presidential administration changeover happening soon, there has been much discussion of potential regulatory rollback, restructuring, or elimination of agencies like the Cybersecurity and Infrastructure Security Agency (CISA). Securing our nation’s critical infrastructure demands a mission-focused strategy that prioritizes public-private partnerships, embraces innovation, minimizes bureaucratic inefficiencies, and integrates OT/ICS security expertise alongside IT security.

Here is an outline of the critical infrastructure sectors and considerations for moving forward:

The 16 Critical Infrastructure Sectors:

1. Chemical: Manufacturing and distribution of chemicals critical to health, life, safety, and industry.
2. Commercial Facilities: Places where people gather for business, entertainment, or shopping.
3. Communications: Critical telecom and internet services supporting daily operations and emergencies.
4. Critical Manufacturing: Essential manufacturing for defense, energy, medicine, food, and other industries.
5. Dams: Infrastructure controlling water flow, storage, and power generation.
6. Defense Industrial Base: Supply chain critical to national defense.
7. Emergency Services: Police, fire, and emergency medical systems.
8. Energy: Production and distribution of electricity, oil, and natural gas.
9. Financial Services: Banks, stock exchanges, and payment processors.
10. Food and Agriculture: Farming, food production, and distribution systems.
11. Government Facilities: Public services and administration at all levels.
12. Healthcare and Public Health: Systems for delivering healthcare and responding to public health crises.
13. Information Technology: Networks and systems enabling global communication and commerce.
14. Nuclear Reactors, Materials, and Waste: Civilian nuclear facilities and materials management.
15. Transportation Systems: Aviation, maritime, rail, pipelines, and highways.
16. Water and Wastewater Systems: Drinking water and wastewater treatment and delivery.

A Path Forward for Private Sector Solutions

Approximately 71% of our nation’s critical infrastructure—such as power plants, water systems, emergency services, critical manufacturing of medicine, food, and supplies, as well as oil and gas operations—is managed by private organizations relying heavily on OT/ICS systems. Despite their critical importance, these systems are often overlooked in cybersecurity strategies, which predominantly focus on IT. This oversight creates a significant gap, as OT systems face distinct vulnerabilities, including safety-critical failures and prolonged downtimes, that IT-centric approaches cannot adequately address, putting public safety at risk.

To secure critical infrastructure, we need a paradigm shift that acknowledges IT and OT as interconnected components of a unified ecosystem. The convergence of these domains magnifies the risks of failing to address the OT/ICS gap, with potentially catastrophic impacts on national security and public safety.

A Balanced Strategy

While reducing regulation and restructuring agencies like CISA might lower government spending, it will also increase reliance on the private sector. A balanced approach is crucial—combining private-sector innovation with strategic government oversight to ensure long-term security and resilience.

1. Public-Private Collaboration:

• Action: Implement governance using established security frameworks that allow private sector innovation to address gaps in critical infrastructure protection while maintaining public accountability that aligns with our national security.
• Result: Maintain resilience and reduce dependency on fluctuating government resources that are not directly involved in the various private sectors operating critical infrastructure.

2. Risk-Based Approach:

• Action: Adopt standards like NIST CSF 2.0 for identifying, prioritizing, and mitigating risks with minimal regulatory burden.
• Result: Empower organizations to focus on vulnerabilities unique to their operations without being stifled by one-size-fits-all regulations. Compliance is NOT security.

3. Incentivize Private Sector Investments:

• Action: Create tax incentives, grants, and liability protections for businesses investing in cybersecurity and physical protection.
• Result: Encourage innovation and adoption of best practices without regulatory mandates.

4. Promote Resilience over Compliance:

• Action: Shift the focus from achieving compliance with standards to building robust, mission-oriented security systems.
• Result: Ensure critical infrastructure can operate through and recover from cyber and physical disruptions.

5. Enhance Information Sharing:

• Action: Strengthen trusted mechanisms for private entities to share threat intelligence without fear of legal or reputational risk.
• Result: Foster a collective defense model against sophisticated threats.

6. Leverage Emerging Technologies:

• Action: Invest in AI, machine learning, blockchain, and other technologies for predictive risk management and secure supply chains.
• Result: Future-proof critical infrastructure against evolving threats.

A Balanced Strategy

While eliminating regulation and restructuring agencies like CISA may reduce government spending, it emphasizes the private sector’s role more. A balanced approach that combines private innovation with strategic government oversight is essential to ensuring long-term security and resilience across all critical infrastructure sectors.