Critical infrastructure asset identification: seemingly simple but frustratingly elusive

Abstract

The attacks of 9/11 highlighted irrefutable vulnerabilities in the US critical infrastructure system and prompted necessary efforts to strengthen defence and resiliency of infrastructure against attack. As critical infrastructures become more dependent on cyber resources, the threat landscape continues to rapidly evolve exposing critical infrastructure to a heightened risk of cyber-attacks. The Department of Homeland Security's Risk Management Framework was developed to guide protection efforts and depends heavily on the ability of the department to effectively identify critical infrastructure assets. However, program audits have reported fundamental flaws in the US identification and prioritisation program. Specifically, there is a need for validation and verification that the right assets are being considered in order to ensure that scarce national resources are not wasted towards protection of the wrong assets. This paper summarises US critical infrastructure identification efforts, ongoing challenges to current programs, and recommendations for moving forward.