What are IT Security Risks for National Critical Functions?
Whether your organization is public or private, it exists within a complex system where it might a greater role and responsibility in national security than you may have realized. The Cybersecurity & Infrastructure Security Agency (CISA) defines National Critical Functions (NCFs) as, “…functions of the government and the private sector so vital to the United States their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”1 CISA identifies 16 critical infrastructure sectors:
- Chemical sector
- Commercial Facilities sector
- Communications sector
- Critical manufacturing sector
- Dams sector
- Defense industrial base sector
- Emergency services sector
- Energy sector
- Financial service sector
- Food & agriculture sector
- Government facilities sector
- Healthcare and public health sector
- Information technology sector
- Nuclear reactors, material, and waste sector
- Transportation systems sector
- Water & Wastewater systems sector
Critical infrastructure operations are hyperconnected through a complex ecosystem that integrates informational and operational technologies, serving to both improve critical infrastructure operations and to create new vulnerabilities for those very systems. Cyberattackers can exploit vulnerabilities in assets, systems, and networks, leading to concerns for the national economy and national security. CISA has identified four areas where NCFs are so vital that, if disrupted or sabotaged, may cause cross-sector impacts or national degradation:
Connect. Connections by technologies that enable critical communications and capabilities to send and receive data (e.g., internet connectivity and satellite access).
Distribute. Distribution methods that allow the movement of goods, people, and utilities inside and outside the United States (e.g., electricity distribution and cargo transportation).
Manage. Management processes that ensure our national security and public health and safety (e.g., managing hazardous material, conducting elections, and national emergencies).
Supply. Supplies of materials, goods, and services that secure our economy (e.g., water and housing).
With much of the national critical infrastructure being privately owned, effective cybersecurity risk management depends upon the private sector and government sharing information and collaborating to understand their positions and roles in a critical infrastructure risk system. To this end, CISA has developed three lines of effort2:
Build the underlying architecture for cyber risk analysis to critical infrastructure. NCF Risk Architecture is a dynamic engine that captures multiple data layers to understand how entities come together to produce critical functions, and to identify their underlying assets, systems, networks, and technologies. The NCF Risk architecture provides insight into potential cyber risk impacts allowing for more targeted, prioritized, and strategic risk mitigation efforts.
Cyber risk metric development. Bringing together stakeholders to discuss the relationships between threats, vulnerabilities, and consequences on critical functions to develop metrics that quantify cyber risk.
Promoting tools to address concentrated sources of cyber risk. The public-private Information and Communications Technology (ICT) Supply Chain Risk Management Task Force works to identify supply chain threats, including those derived from software, and to develop guidance and tools to reduce risk.
1 CISA, 2021, “National Critical Functions”
2 CISA, 2021, “Systemic Cyber Risk Reduction Venture”