Author: Brian Haines
November not only marks the midpoint for football season, but it is also when the Cybersecurity and Infrastructure Security Agency (CISA) kicks off Critical Infrastructure Security and Resilience Month. Many people consider our transportation system as the fabric of the nation’s infrastructure, but those football stadiums are also considered infrastructure in the Commercial Facilities Sector. In fact, there are 16 critical infrastructure sectors considered vital to the safety and security of the nation. These include:
|9. Financial Services
|2. Commercial Facilities
|10. Food and Agriculture
|11. Government Facilities
|4. Critical Manufacturing
|12. Healthcare and Public Health
|13. Information Technology
|6. Defense Industrial Bases
|14. Nuclear Reactors, Materials and Waste
|7. Emergency Services
|15. Transportation Systems
|16. Water and Wastewater System
In football, a strong defensive line is needed to make a strong offense line, similar to how infrastructure sectors are interdependent and failures to one may ultimately cause cascading effects that impact a host of other areas.
“We have such an interesting relationship with critical infrastructure because it touches our everyday lives,” said Rachel McGrath, Critical Infrastructure Specialist with North Carolina Emergency Management. “When infrastructure is working how it’s supposed to, we don’t see it. We expect our lights to turn on when we flick the switch, we expect water out of our taps, sewage to be properly processed, our roads to be accessible. When these things aren’t working, they have a huge impact on our lives.”
FEMA’s Threat and Hazard Identification and Risk Assessment (THIRA) allows communities to evaluate their risks and how to address them. The assessment asks three basic questions:
1. What threats and hazards can affect our community?
2. If they occurred, what impacts would those threats and hazards have on our community?
3. Based on those impacts, what capabilities should our community have?
The THIRA framework talks about three categories of risk, natural, technical and human. Natural risks are things like a tropical
storm blowing down trees onto powerlines, an earthquake, flooding, etc. Technical risks are issues such as a system failure at a water treatment plant or a hazmat tanker tipping over, essentially accidents that unintentionally impact the public. The human caused threat is essentially a nefarious actor(s) who intentionally causes harm such as damaging a sub-station that causes massive power outages, possible communication outages, leaves a nursing home in the dark and much more.
“We are all stewards of our infrastructure. If you see something that doesn’t seem right, report it to the proper authorities—whether that’s law enforcement, emergency services, or your local utility.”
CISA is asking the nation to improve its playbook by resolving to be resilient, which allows for a quicker recovery after an event. By assessing the risk of your organization, making a plan and exercising it, and to continuously improve and adapt to changing conditions and threats, you can protect your business.
Here are some infrastructure resources to help keep the game on:
- NC Department of Information Technology Cyber Incident Reporting
- CISA Industry - Public and Private Sector Partnerships
- CISA Resources & Tools
- National Risk and Capability Assessment