Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


What is Critical Infrastructure and How Should We Protect It?

We hear a lot these days about critical infrastructure, and the importance of protecting it. But what exactly is “critical infrastructure,” what are the greatest threats to it, and what are the best ways to protect it from those threats? 

What is Critical Infrastructure? 

According to the U.S. Department of Homeland Security (DHS), which is the federal agency charged with oversight of its protection, critical infrastructure consists of “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” 

Substitute any other nation for “United States” and the definition remains equally applicable — for any nation to assure the safety, health and welfare of its citizens, that nation must make critical infrastructure protection a top priority. DHS lists 16 critical infrastructure sectors and assigns primary sector-specific responsibility to each sector. For a complete list of the sectors, and the agencies assigned to each, visit the DHS website.

What are the primary threats facing critical infrastructure?

Now that we have our working definition of critical infrastructure, let’s look at the primary threats to it. 

A generation or two ago, those threats were pretty much all tangible, physical threats that could be countered with tangible, physical defenses. Think old war movies — blowing up or defending bridges and railroad tracks, etc. Those kinds of tangible, physical threats continue today, as do natural disasters, such as hurricanes, floods and wildfires, and they can cause serious harm to people and nations.

The inclusion of “virtual” infrastructure in the DHS definition is a relatively new phenomenon, and the primary threats to that infrastructure are even more difficult to counter. Sometimes the virtual infrastructure combines with the physical — attackers may attempt to use virtual control systems to deliver physical threats or make virtual threats to physical infrastructure — creating the need for a multi-faceted response. This combination of virtual and physical is growing exponentially today, as virtual connections to physical infrastructure, aka the internet of things (IoT), become increasingly mainstream.

How do we protect critical infrastructure?

With that definition and understanding of what critical infrastructure is, and what types of threats endanger it, let’s examine how we should protect it. 

The Cybersecurity and Infrastructure Security Agency (CISA), created by Congress in November 2018, is the DHS agency charged with primary critical infrastructure protection responsibility. 

CISA, according to its website, “leads the coordinated national effort to manage risks to the nation's critical infrastructure and enhance the security and resilience of America's physical and cyber infrastructure.” Breaking down this summary statement, CISA identifies three key elements of critical infrastructure protection: 

  • managing risk to that infrastructure; 
  • enhancing security of that infrastructure; and 
  • enhancing resilience of that infrastructure. 

Let’s look at these  three elements in the context of the growing virtual threats to physical and virtual infrastructure.

Managing risk to critical infrastructure

The National Risk Management Center (NRMC), an entity within CISA that also came into existence in 2018, leads the charge when it comes to the agency’s risk management guidance. NRMC identifies itself as “a planning, analysis, and collaboration center working to identify and address the most significant risks to our nation’s critical infrastructure.” 

We point to the words “most significant” as the central theme of risk management. No defense plan will provide absolute protection against all risks; the cornerstone of effective risk management is prioritization — identifying the most significant risks and taking actions to mitigate those risks. 

Risk-based prioritization is one of the primary components of effective cyber risk management. It is also a key component of the discipline of Cyber Exposure. Cyber Exposure recognizes that the modern attack surface reflects the increasing convergence of the virtual and the physical, and that as connectivity increases, so does the risk of cyber attack. Managing that risk is essential to the protection of critical infrastructure today, and will become even more essential in the future. 

Enhancing security for critical infrastructure

Enhancing security is, perhaps, the most fundamental component of critical infrastructure protection

In the physical world, doing so involves basic actions such as locking doors, putting up fences and similar steps to address physical vulnerabilities. Similarly, in the cyber realm, security means identifying virtual vulnerabilities and addressing those vulnerabilities.

Practicing good cyber hygiene is Step 1 in enhancing cybersecurity. Lapses in basic cyber hygiene are the primary cause of security breaches. Bad actors are able to get through cyber “doors” when device owners do the following: use poor locks (think weak passwords); leave doors open (think unpatched vulnerabilities); or unwittingly give them the keys (think phishing scam). 

Protecting critical infrastructure presents some unique challenges. For instance, Industrial Control Systems (ICS), which govern the operation of large industrial plants, cannot be actively scanned for vulnerabilities the way a virtual-only Information Technology (IT) environment can be scanned because such scans can knock the industrial systems offline, grinding operation of a major plant to a halt. 

The overarching category for these types of systems is Operational Technology (OT). OT systems, many of which pre-date the internet, have historically been standalone, “air gapped” systems, which minimized their vulnerability to cyber threats. In today’s connected world, however, that is quickly becoming the exception rather than the rule. 

Adapting cyber defenses to protect these systems requires a different approach. Tenable is addressing these challenges by leveraging its passive monitoring capabilities to deliver a solution that enables safe monitoring of OT assets in a converged IT-OT environment.      

Enhancing resilience of critical infrastructure 

To be resilient, in the parlance of the iconic Timex watch ads, is “to take a licking and keep on ticking.” 

As more formally defined in Presidential Policy Directive 21, the governing federal critical infrastructure protection authority, resilience is “the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.” In cyber-centric environments, resilience builds on security to round out a comprehensive cyber defense program that addresses all phases of preparation and implements steps to prepare for, and respond to, any cyber threats. 

To guide organizations in developing and implementing effective, comprehensive critical infrastructure protection programs, the National Institute of Standards and Technology (NIST) has published the Cybersecurity Framework. According to NIST, a “prioritized, flexible and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.”

DHS offers an additional resilience-focused resource, the Cyber Resilience Review (CRR). This free resource can provide insight into an organization’s cyber resilience status and recommend areas for improvement. It includes a “NIST Framework crosswalk” feature to guide alignment and ensure comprehensive program implementation. A fact sheet is available with instructions for conducting a CRR and requesting DHS CRR support. 

Learn more:

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.