Critical Infrastructure Protection: Complex Challenges

Philip Reitinger, a former “Deputy Under Secretary” for U.S. Department of Homeland Security (DHS), a Director of the National Cyber-security Center (NCSC) and currently President and CEO of Global Cyber Alliance participates in Risk Roundup with Jayshree Pandya to discuss the “Complex Challenges Facing Critical Infrastructure Protection”.

Story originally appearing on RiskGroup:


Irrespective of private or public, most of the critical infrastructure as seen across nations today, has been present in one form or other for quite some time. However, it is only recently that the critical infrastructure has become dependent on information, communication and digitization technology (ICDT).

The assets identified as critical infrastructure in cyberspace, geospace and space (CGS) are vital for the survival, success and sustainability of respective nations as they contribute to its very progress and development. These systems and assets in CGS are so vital to each nation that its incapacity or destruction would bring a debilitating impact on not only the physical security, but also the CGS security, economic security, national security, safety and very survival of nations.

Irrespective of nations, these CGS infrastructures must maintain their optimal conditions under all circumstances. Safeguarding them—needs to be the utmost priority for each and every nation: its government, industries, organizations, academia and individuals (NGIOA-I).

Having said that, the well-being of this planet, human species, regions, nations and industries, organizations, academia and individuals relies upon the safety, security and sustainability of the CGS critical infrastructure—those assets, systems, and networks in cyberspace, geospace and space (CGS) that underpin the very fundamentals of a sustainable society.

Critical Infrastructure: Digitalization

Critical infrastructure is used by both governments as well as private industry and is a term to describe infrastructures, systems and assets in CGS that are essential for the progress and development of society– whose incapacity or destruction would have a debilitating impact on security at all levels.

The digitalization of critical infrastructures such as the electric grid, water supply, transportation, financial systems and emergency services have benefited significantly from greater integration of information, communication and digitization technologies (ICDT) to make systems at all levels (local /national /regional /global) more efficient, accessible, resilient and reliable.

The rapidly digitizing critical infrastructure across nations uses many software applications to manage not only client-side business processes like customer care, human resources, billing, accounting, data compilation, analytics and more but also customer-facing web services like online bill-pay and also to control some very sensitive operational processes and physical functions.

Critical Infrastructure: Security Risks

As the increasing digitization and automation of nations critical infrastructures provides more cyber access points for cyber criminals to exploit, there is a growing fear of cyber-crimes and criminal activities that would impact not only cyber-security but also geo-security and space-security.

The advances in the availability and sophistication of malicious software tools and the fact that each new technology from cyberspace raises new security issues that cannot always be addressed prior to adoption in cyberspace, geospace or space (CGS) is a cause for concern and a critical risk facing not only the critical infrastructure but also each individual and entity across NGIOA.

Amidst that how can any nation secure its critical infrastructures with the growing digitalization and automation challenges in CGS?

While the integration of ICDT has digitalized and modernized the critical infrastructure in CGS, it has also opened itself up to a “contested territory” as cyberspace is a contested commons– and it is growing increasingly complex and sophisticated, bringing critical security risks to not only the critical infrastructure but each one of us across nations.

The digital intrusion into the critical infrastructure threatens not only electronic data assets but could potentially damage assets across Cyberspace, Geospace and Space (CGS).

While criticality of an infrastructure depends on a nation, and its inter-dependencies both within and across its boundaries, it is the complex inter-dependencies that defines if one of the infrastructures will be attacked, whether others will also likely be affected.

It is important for each nation to evaluate:

  • What are the most critical threats to critical infrastructure in CGS?
  • What are the common vulnerabilities of critical infrastructure?
  • How are critical infrastructures in CGS controlled currently?
  • What constitutes an attack on critical Infrastructure?
  • How can nations secure its critical Infrastructure in CGS and ensure its continuity?
  • The critical infrastructure in CGS– the incapacitation or destruction of which would have a debilitating impact on geospace and space will ultimately impact the national security and the economic and social welfare of a nation.

So the key question is:

  • Who is responsible for the security of the critical infrastructure in CGS?
  • How do we protect the critical infrastructure in CGS?
  • What should be the structure of the organization responsible for managing the security risks of critical infrastructure in CGS?
  • How do individual nations define the national strategy for the protection of their critical infrastructure in CGS?
  • Should nations define the security strategy –individually or collectively within and across its NGIOA borders?
  • How do nations define the criticality of any infrastructure?
  • What is essential for the safety and security of nations critical infrastructure in CGS?
  • How do nations identify and evaluate the vulnerability to its infrastructure in CGS?
  • How do nations identify ways to reduce infrastructure risks in CGS?

Critical infrastructure in CGS need to be able to withstand and rapidly recover from all hazards and attacks. To achieve the safety, security and sustainability of nations most important assets in CGS, there is a need for an integrated governance and risk management approach within and across nations: its government, industries, organizations and academia (NGIOA) to manage its risks independently and collectively in a rapidly changing digital global age.

A secure, functioning, and resilient critical infrastructure requires the efficient exchange of information, including risk intelligence, within, between and across all levels of NGIOA. This must facilitate the timely exchange of threat and vulnerability information as well as risk information that allows for the development of a situational awareness capability during incidents.


Like all entities across NGIOA, critical infrastructure owners and operators, producers, providers and protectors have taken advantage of advances in information, communication and digitization technology (ICDT) to reduce operational costs, increase productivity, and create new efficiency, accessibility and opportunities. However, the deployment and networking of information, communication and digitization technology in the critical infrastructure environment also has brought new security risks.

The increased integration of information, communications and digitization technology into the daily activities of NGIOA-I – along with the corresponding growth of CGS– has been a major driver of economic growth and productivity.

While cyberspace has created unprecedented opportunities for economic growth across NGIOA-I, it has also created unparalleled opportunities for criminals, spies, activists, thieves and opportunists to cause serious economic and national security challenges and security risks nations face today.

The new digital global age reality means that computer networks and peripherals are under constant attack from a variety of adversaries—amateur hackers, “hacktivists” (hackers claiming a moral agenda), criminal syndicates, nation/state-sponsored intruders and state actors—planning ways of bringing chaos and harm to targeted nations’ infrastructure in CGS, and its NGIOA.

Cyberspace has become a contested common without any rules and regulations. When cyber technology has a potential to destroy any nation: its power-lines, water supplies, transportation and energy and financial markets without shooting a single bullet, it is a cause of concern.

How effectively NGIOA-I work together toward the common goal of securing cyberspace, geospace and space will ultimately determine how secure each one of us will be and the degree to which society continues to reap the benefits of living in the digital global age.