The U.S. government identifies 16 sectors as critical infrastructure, but inconsistent regulations and management leave many sectors lacking security.
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) lists the 16 critical infrastructure sectors on its website, and of those, only three — energy, government and nuclear — are under regulations mandating that security requirements be mapped to all five sections of the NIST Cybersecurity Framework (CSF). The health sector has HIPAA requirements, which map to the Protect section of the CSF, and the water sector has requirements that map how to Identify and Respond to cybersecurity incidents based on CSF guidelines.
At least one expert believes the risks could be exacerbated because of the interconnected nature of the sectors. Steven Briggs, senior program manager at Tennessee Valley Authority, spoke on the state of critical infrastructure cybersecurity at the virtual CircleCityCon, a security conference normally held in Indianapolis, and discussed his research with SearchSecurity. Briggs said one problem is cybersecurity rules have historically been reactionary: Of those…
