The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) today issued a list of the 55 areas of the nation’s critical infrastructure that it believes must be protected from cyberattacks.
The National Critical Functions list was created by CISA’s National Risk Management Center and contains functions used or supported by the government and the private sector “that are of such vital importance to the United States that their disruption, corruption or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof,” CISA said.
The list was developed with the help of all 16 critical infrastructure sectors; all Sector-Specific Agencies; and the State, Local, Tribal, and Territorial (SLTT) Government Coordinating Council.
“Identifying these National Critical Functions has been a collaborative process between public and private sector partners and marks a significant step forward in the way we think about and manage risk,” said CISA Director Christopher Krebs.
Emily Miller, Mocana’s director of national security and critical infrastructure programs, said DHS previously defined critical infrastructure as critical assets, systems, networks and functions, with the functions segment sometimes getting less attention than necessary.
Some of the critical functions listed include:
- Provide Internet Based Content, Information, and Communication Services
- Provide Internet Routing, Access, and Connection Services
- Provide Positioning, Navigation, and Timing Services
- Distribute Electricity
- Conduct Elections
- Public Works and Services
“I’m delighted to see DHS’ list of our nation’s critical functions, though it is overdue,” Miller said, adding, “I’ve always thought the ‘functions’ element of this phrase was the most interesting and useful. After all, ‘critical functions’ allow us to define the most important things we do, not just the critical things we have or the sectors to which those things belong.”
Miller also applauded the inclusion of industrial control systems on the list, but pointed out that simply securing operational networks will not be enough protection.
“While security of operational networks is important, previous policy work towards control systems security has left out key considerations for device security. This blind spot to device security leaves the devices that control and monitor critical infrastructure, and the data produced, vulnerable to manipulation throughout the device’s lifecycle,” she said.