The United States designates sixteen critical infrastructure sectors whose assets, systems, and networks are considered so vital that their incapacitation or destruction would have a debilitating effect on national security, economic stability, or public health and safety. Defending these sectors against cyber threats is one of the most consequential challenges in modern security.
The sixteen critical infrastructure sectors
Presidential Policy Directive 21 (PPD-21), issued in 2013, identifies and assigns responsibility for sixteen sectors spanning the physical and digital backbone of the nation. Each sector has a designated Sector Risk Management Agency (SRMA) responsible for coordinating security efforts.
These sectors are deeply interdependent. A cyber incident in the energy sector can cascade into communications, water systems, transportation, and healthcare within hours.
The sectors include energy, water and wastewater, transportation, communications, healthcare, financial services, food and agriculture, government facilities, defense industrial base, information technology, nuclear reactors, chemical, commercial facilities, critical manufacturing, dams, and emergency services. The interdependencies between them mean that a compromise in one sector rarely stays contained.
Nation-state threat actors
The most capable adversaries targeting critical infrastructure operate with the resources, patience, and strategic objectives of nation-states. These actors conduct long-duration campaigns focused on access persistence rather than immediate exploitation — positioning themselves to disrupt operations during a future geopolitical crisis.
The goal of many critical infrastructure intrusions isn’t immediate damage — it’s establishing persistent access that can be leveraged as a strategic capability.
Publicly attributed campaigns have revealed distinct patterns among major threat actors:
- Pre-positioning operations — establishing persistent access within infrastructure networks that can be activated during a conflict
- Living-off-the-land techniques — using legitimate system tools and credentials rather than custom malware, making detection significantly harder
- Supply chain targeting — compromising trusted vendors and software providers to gain access to downstream infrastructure operators
- Reconnaissance of OT environments — mapping industrial control system architectures and understanding physical processes, indicating intent beyond simple data theft
SCADA and ICS security challenges
Securing industrial control systems presents unique challenges that don’t exist in traditional IT environments. The priorities are inverted — in IT, confidentiality typically comes first; in OT, availability and safety are paramount. A security patch that requires a system reboot might be routine for a web server but unacceptable for a system controlling a chemical process or a power grid.
IT Security Priorities OT Security Priorities
───────────────────── ─────────────────────
1. Confidentiality 1. Safety
2. Integrity 2. Availability
3. Availability 3. Integrity
4. Confidentiality
The Purdue Model for industrial network architecture remains a foundational concept for understanding how ICS environments should be segmented and defended.
Common challenges facing ICS defenders include:
- Network segmentation gaps — insufficient separation between corporate IT networks and operational technology environments
- Legacy system constraints — equipment running unsupported operating systems that cannot be patched or upgraded without replacing hardware
- Vendor access requirements — third-party maintenance access creating persistent entry points into sensitive networks
- Limited security monitoring — OT networks often lack the visibility tools standard in IT environments, creating blind spots for defenders
- Protocol vulnerabilities — industrial protocols designed for reliability in closed networks now exposed to adversaries through network convergence
Defensive frameworks and resources
CISA and NIST provide frameworks specifically addressing critical infrastructure cybersecurity. The NIST Cybersecurity Framework (CSF) organizes security activities into five core functions: Identify, Protect, Detect, Respond, and Recover. NIST Special Publication 800-82 provides detailed guidance for ICS security specifically.
Sector-specific ISACs facilitate information sharing between organizations within each critical infrastructure sector. These centers distribute threat intelligence, vulnerability advisories, and incident reports that help individual organizations understand threats targeting their specific industry.
For security professionals, understanding the critical infrastructure landscape means thinking beyond individual networks and systems. It requires appreciating the physical consequences of cyber incidents, the geopolitical motivations of advanced threat actors, and the unique constraints of defending systems where failure can mean more than lost data — it can mean lost lives.
The next post in this series examines supply chain attacks and their implications for national security.
Want to dig deeper? Explore the project repository for a data model of all 16 sectors, threat actor profiles, defensive framework references, and a Purdue Model visualization.
