How CISA protects US infrastructure from cyber and physical threats

Can you give a brief introduction to CISA and the work it carries out?

The Cybersecurity and Infrastructure Security Agency Act of 2018 established the Cybersecurity and Infrastructure Security Agency (CISA) as America’s Cyber Defense Agency and directed the agency to serve as the National Coordinator for critical infrastructure security and resilience. In this role, CISA leads the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. We work with partners to defend against today’s threats and collaborate with industry to build more secure and resilient infrastructure for the future.

While CISA is new, the mission is not. Through national doctrine – issued and updated since 2005 and supported in federal law – the US Department of Homeland Security has supported the nation’s 16 critical infrastructure sectors, championed public-private partnerships, and implemented collective actions to understand and manage risk. Established in 2003, the Dams Sector is one such critical infrastructure sector. We are focused on working with the sector to ensure the security and resilience of dams, navigation locks, levees, hydropower projects, dikes, storm surge barriers, tailings dams, and other industrial waste impoundments.

Can you give an overview of potential risks facing US infrastructure?

In today’s globally interconnected world, the understanding of the importance of CISA’s mission sharpens as the nation’s critical infrastructure and American way of life face a wide array of serious risks and challenges. These challenges come from Mother Nature; a varied group of threat actors including nation states; as well as cybercriminals, terrorist groups, and other nefarious actors seeking to take advantage of our open society and the proliferation of technology to do us harm.

While these risks are daunting, working together to strengthen existing partnerships, building new partnerships, establishing sound policies, and implementing baseline security practices within the critical infrastructure sectors positions us to be able to confront these challenges head on.

Persistent risks in the Dams Sector include natural disasters and deliberate attacks against physical or cyber infrastructure that can result in loss of life or property damage, economic damage, damaged or destroyed facilities or assets, and disrupted operations. Natural hazards may include drought, earthquakes, extreme rainfall events and flooding, tropical cyclones, and wildfires, depending on the location of the asset. Deliberate physical attacks of concern to owners may be armed attacks, attacks by use of vehicles and unmanned aircraft systems, explosives, the threat of malicious insiders, and criminal acts. Sophisticated cyber threat actors and nation-state actors seek to exploit vulnerabilities to steal information and disrupt, destroy, or threaten the delivery of essential services provided by critical infrastructure, including dams. Underpinning these risks are operational challenges influencing dam safety and security decision-making. Examples include the need to manage operations and maintenance programs, communicate and collaborate, understand and manage dependencies, mitigate aging infrastructure, and address population growth around sector assets.

Adversaries will continue to threaten the integrity of critical infrastructure with disruptive and destructive cyber and physical attacks. These threats may potentially be further exacerbated by technological advances, extreme weather, and natural disasters.

Have such risks become more prominent over recent years?

Current trends in operations and risk drivers are making some risks to Dams Sector assets more prominent. The cyber risk landscape is changing everyday on its own and those changes become more pronounced as some owners and operators upgrade to modern control systems with standardized hardware or transition to remote monitoring and control processes that make them more susceptible to broadly exploited vulnerabilities and attack vectors. Alternately, not upgrading technology presents the risk of obsolete technology that cannot be patched or upgraded. The commercialization and weaponization of certain capabilities – such as drones and artificial intelligence (AI) systems – may aid adversaries in attacking critical infrastructure. Population growth and development around dams and levees are increasing the consequences of failure, potentially reclassifying the hazard potential of some assets. Changing weather patterns may bring more extreme weather, including droughts that reduce water availability and severe storms that increase flooding.

How can these risks be minimised? What role can utilities and dam owners play in this?

Risk management in the Dams Sector focuses on owners and operators making risk-informed decisions that best allocate limited resources to the most effective activities to prevent or mitigate the effects of incidents, regardless the cause. The dam safety community leverages long-standing and well-established risk management programs and approaches to assess, mitigate, and respond to the potential damages caused by catastrophic dam and levee failures, particularly those induced by natural hazards. Many owners have extended their risk management programs to also understand and manage risk from human-caused, deliberate attacks.

Facilities follow established design and construction standards, operation and maintenance procedures, inspection schedules, and protective measures guidelines and best practices to minimize the risk of failure, disruption, or mis-operation. Such activities help owners and operators to enhance security and resilience through preparing for and responding to incidents and adapting to changing conditions. Examples include adhering to design standards; performing inspections, surveillance, and monitoring to detect potential problems; reporting suspicious activities and cyber issues (such as unauthorized access, disruption, or system abuse); implementing protective measures; and planning for emergency response.

Specifically for cyber risks, owners and operators can implement cyber controls, which are the managerial, operational, and technical safeguards or countermeasures employed within an organizational system to protect the availability and integrity of the system and its information. Controls are used to reduce incident likelihood through actions such as network segmentation, use of multi-factor authentication, and installing software patches; build resilience to a cyber incident through testing backup procedures and manual controls; and detect and respond to cyber incidents.

For organizations interested in learning more about risk-reduction strategies that can significantly enhance security outcomes, visit CISA’s Cybersecurity Performance Goals webpage

To learn more about the Dams Sector and access sector-specific resources, training, and tools to understand and manage physical and cyber risk, visit CISA Dams Sector webpage.