Critical infrastructures drive all of the necessary functions upon which society depends, yet, for the most part, completely ignores. Prior to an attack on American soil, little thought was given to the brittle nature of these complex systems, networks, and assets. In previous decades, the only real threats facing infrastructure came from natural disasters, which tend to be localized to one region and have a fixed and, at times, predictable duration. Additionally, most of the attention paid to these systems came as the result of human error, Murphy’s Law, and routine maintenance necessitated by the inevitable aging process. Until the bombing of the Murrah Federal Building in Oklahoma City in 1994, few paid attention to malicious acts targeting these critical components. In the years following this domestic terror attack, preparation for Y2K (2000), fall-out from post-9/11 events, and the 2003 blackout of the northeast have all served as reminders of just how fragile these systems have and can become.

Critical infrastructures are the complex and highly interdependent systems, networks, and assets that provide the services essential in our daily life. They are currently organized into the following 17 critical infrastructure and key resource (CI/KR) sectors: Banking and Finance; Chemical; Commercial Facilities; Commercial Nuclear Reactors, Materials, and Waste; Dams; Defense Industrial Base; Drinking Water and Wastewater Treatment Systems; Emergency Services; Energy; Food and Agriculture; Government Facilities; Information Technology; National Monuments and Icons; Postal and Shipping; Public Health and Healthcare; Telecommunications; and Transportation Systems.1 The Energy, Telecommunications, Transportation, and Water Sectors represent just a few of the basic services that we continually rely on day after day, services that enable us to heat or cool our homes, talk to one another over the telephone, travel to work, and even have clean water to drink. With our increasing dependence upon critical infrastructure comes an unavoidable expansion in complexity as these sectors seek to build upon their already stretched capacity to provide new services and products to a growing population.

Given the criticality of the systems, networks, and assets we rely on so greatly, the protection of such infrastructure is essential to not only our well-being, but also our way of life. Critical infrastructure protection, commonly referred to as CIP, is a priority for the Federal government, as well as the private sector and state, local, and tribal governments.  With approximately 85 percent of the Nation’s critical infrastructure owned by the private sector, and no single, overarching body managing this infrastructure, the task of protecting critical infrastructure is daunting. Critical infrastructures must be protected from all hazards, both natural and man-made disasters and terrorism, whether a cyber-related threat or large-scale physical attack. Hurricanes, earthquakes, fires, and train crashes can impact infrastructure just as much as a premeditated act aimed at disrupting services or harming the populace. Considering this, we must better understand the Nation’s infrastructure to ensure its protection.

Not all infrastructures are critical and not all critical infrastructures have the same criticality. To adequately address CIP and determine what is really critical, a step-by-step analytical process must be implemented. This process should be used to determine critical systems, identify vulnerabilities, and focus survivability enhancements on critical areas. Identifying interdependencies and interoperabilities between systems also helps us to understand what assets are truly critical and need to be protected the most. Following this analysis, steps can be taken to mitigate vulnerabilities amongst critical assets. Guaranteeing critical systems redundancy and diversity is key to ensuring that critical systems survive threats from all hazards. For instance, if two power lines run on the same path for redundancy and one line is damaged, the second line will also face interference.  By guaranteeing diversity and spreading power lines out on different paths, the likelihood of both lines going down simultaneously is lessened. Additionally, single-point vulnerabilities should be protected, minimized, or eliminated if possible. Moreover, protection at each critical node should be commensurate with realistic threats. If a single-point vulnerability or critical node of failure is damaged, entire systems, networks, or assets will be affected regardless of other protective measures in place to prevent disruption of services. Finally, alternative systems use, rerouting of capabilities, and functioning under reduced capacities should be considered during any CIP process. While it is impossible to protect all critical infrastructures, using this basic approach allows for the prioritization of assets and resources based on criticality and assists us in better protecting our Nation’s CI/KR. 

It is with the knowledge gained from analyzing infrastructure and various interdependencies that we can have a greater understanding of the cascading effects caused by damage to a particular asset and protect that asset accordingly. Appreciating that an asset may be more critical than another, due to its affect on other infrastructure and essential services, plays an important role when looking at CIP. If an electric substation is damaged and the electricity goes out, railroad operations are hampered and the flow of area traffic is impacted, causing a decreased movement of commodities and potential complications for emergency services. Thus, that electric substation must be protected not only for the Energy Sector, but also for the safeguarding of other sectors’ infrastructure. Similarly, if a major port is closed and transportation from that port ceases, the cascading effects of that closure can disrupt the value chain of commerce, in turn affecting the Nation’s economy. For example, the food and agriculture industry across the country may be affected from a lack of incoming supplies necessary for the production of industry goods and also may suffer from a slow in agricultural trade activity. Protecting ports and ensuring that their operations do not cease will help enable other sectors’ infrastructure to conduct regular business with less interruption to services. Advances in technology and Supervisory Control and Data Acquisition (SCADA) systems have increased these interdependencies, enhancing sector operations but creating additional vulnerabilities. Such vulnerabilities and gaps in security must be addressed to adequately protect critical infrastructure. Without the protection of CI/KR, our Nation is vulnerable to attack or negative impact from various natural or man-made disasters and may also experience disruption in the deliverance of essential services that support our citizenry.

The systems that support our daily activities and way of life are clearly complex and vulnerable, yet also must be reliable and resilient to continue providing us with the essential services we depend on. Everything from banking to emergency response to government operations depends on normal operation of numerous sectors. As a society, we must continue to explore ways to protect and ensure the reliability of our critical infrastructures. Government agencies, private industries, educational institutions, and citizens all have a vested interest in our critical infrastructures and should strive to have a better understanding of the relationships between sectors, the criticality of assets, and the need for protection of those assets against all hazards.

Additional information on critical infrastructure and CIP may be found in the CIP Library.

1 These 17 critical infrastructure and key resource sectors were defined in Homeland Security Presidential Directive (HSPD)-7, Critical Infrastructure Identification, Prioritization, and Protection, and formally recognized in the Interim National Infrastructure Protection Plan (NIPP).  The completed NIPP was released in June 2006.