Critical Infrastructure Security and Resilience: Countering Russian and Other Nation-State Cyber Threats
March 16, 2022
Critical Infrastructure Security and Resilience: Countering
Russian and Other Nation-State Cyber Threats
The United States and its allies have levied economic
At the federal level, the critical infrastructure community is
sanctions against Russia following its invasion of Ukraine.
organized under auspices of presidential policy directives,
Many observers fear Russian state or state-sponsored
which assign DHS (acting through CISA) responsibility for
cyberattacks against U.S. critical infrastructure in response.
leadership and interagency coordination of voluntary
Critical infrastructure is defined in statute as “systems and
public-private partnerships across 16 designated critical
assets, whether physical or virtual, so vital to the United
infrastructure sectors and numerous subsectors. DHS
States that the incapacity or destruction of such systems and
delegates this responsibility to other agencies in some
assets would have a debilitating impact on security, national
cases. The responsible agency in each sector is referred to
economic security, national public health or safety, or any
as the Sector Risk Management Agency (SRMA).
combination of those matters.” The Department of
Homeland Security (DHS) is the lead federal agency for
Because much of the nation’s critical infrastructure is
critical infrastructure security and resilience (CISR).
owned and operated by the private sector, implementation
of federal cybersecurity initiatives to counter nation-state
The DHS Cybersecurity and Infrastructure Security Agency
and other threats often depends upon the willingness and
(CISA) has issued numerous alerts and other warnings to
ability of private-sector entities to engage with CISR-
private-sector companies about malicious cyber activities
oriented communities of interest, to make relevant
by Russian state or state-sponsored actors that may harm
resilience investments, and to report cyber incidents
critical infrastructure. According to the CISA alert revised
quickly—even those that may pose reputational, legal, or
on March 1, 2022, Understanding and Mitigating Russian
regulatory consequences. Likewise, owner-operators of
State-Sponsored Cyber Threats to Critical Infrastructure,
vulnerable systems may have to absorb significant up-front
“Russian state-sponsored ... actors have used sophisticated
business costs to increase security. Owner-operators of
cyber capabilities to target a variety of U.S. and
systems that do not meet the statutory definition of critical
international critical infrastructure organizations.” The alert
infrastructure may still suffer from attacks that present
identified the energy, healthcare, and communications
systemic risk, given the interconnectedness of such
systems and assets as frequent targets.
systems.
This In Focus provides an overview of the U.S. critical
Energy Sector
infrastructure community, describing the current
The Energy Sector consists of two subsectors—electricity,
development of cyber risk management programs and
and oil and natural gas. The Department of Energy (DOE)
activities in the Energy, Healthcare and Public Health
is the designated SRMA.
(HPH), and Communications sectors. In recent decades, the
federal government has supported voluntary programs and
Electricity
activities intended to develop common perspective, risk
The North American Electric Reliability Corporation
awareness, and risk management culture within a diverse
(NERC)—a federally authorized, industry-led reliability
and evolving community of critical infrastructure
organization—develops and enforces mandatory reliability
stakeholders. During this time, development of CISR-
standards that address cybersecurity and other risks
oriented communities of interest defined by robust sector
affecting the nation’s bulk power system. NERC plays a
and cross-sector professional networks, multilateral flows
significant role in voluntary best practices and information-
of critical infrastructure information, collaboration with
sharing programs. NERC also operates the Electricity
relevant government agencies, and investments in resilience
Information Sharing and Analysis Center (E-ISAC), which
has been uneven.
facilitates sharing of cyber threat information and analysis
between industry partners and government through alerts,
The Critical Infrastructure Community
exercises, and other means. ISACs in other sectors have
CISA commonly describes its partners in the national CISR
similar functions. E-ISAC manages a DOE program for real
enterprise as the critical infrastructure community. This
time cyber threat information sharing to protect critical
community—more concept than organization—is the
infrastructure.
aggregate of people and organizations engaged in security
and resilience activities related to critical infrastructure. It
According to DOE, utilities participating in its information-
includes thousands of private-sector businesses and
sharing program provide power to over 75% of customers
enterprises, nonprofits, researchers, analysts, and
in the continental United States. NERC periodically
technologists, as well as interested legislators, government
organizes grid security exercises. A major November 2021
officials, and law enforcement and emergency management
exercise included 700 participants from the bulk power
personnel.
industry, according to media reports. Prior to the 2021
https://crsreports.congress.gov
Critical Infrastructure Security and Resilience: Countering Russian and Other Nation-State Cyber Threats
exercise, some observers voiced concerns about regulatory
Communications Sector
gaps and inadequate standards. NERC reliability standards
The communications sector includes five segments:
are consensus-based, and mostly apply to larger utilities
broadcasting, cable, satellite, wireless, and wireline. DHS is
engaged in interstate transmission.
the designated SRMA. It operates the National
Coordination Center, which hosts the Communications
Oil and Natural Gas
ISAC and provides operational support for specific
There is no industry reliability organization analogous to
national-level incidents. DHS and other agencies do not
NERC in any oil and gas industry segment. Standards
regulate cybersecurity risk management activities of
development functions are led by major industry trade
private-sector partners.
groups on a largely voluntary basis. Certain voluntary
consensus standards have been incorporated by reference
DHS’s private-sector counterpart, the Communications
into the Code of Federal Regulations, giving them legal
SCC (CSCC), supports numerous public-private partnership
effect. These standards are concentrated in the heavily
activities for threat reporting and analysis, information
regulated offshore segment and the pipelines subsector.
sharing, and adoption of best practices. In letters and filings
Further—with the exception of pipelines—these standards
to federal agencies, the CSCC has noted persistent
focus on risks inherent to the physical operation of
information-sharing obstacles related to security
industrial equipment, rather than cybersecurity.
classification and legal exposure. The CSCC has also noted
limited community-wide awareness of collaboration and
Industry groups own and operate the Oil and Natural Gas
information-sharing channels, and insufficient grant
(ONG) ISAC. Some independent reports indicate slow
funding for cybersecurity resilience activities.
progress in developing cybersecurity culture and
meaningful community engagement. A 2020 report by the
Cross-Sector Issues
Lawrence Livermore National Laboratory on cybersecurity
Many community members identify information sharing,
in the oil and gas subsector noted widespread deficiencies,
government outreach to the private sector, and return on
including use of legacy assets lacking cybersecurity
investment for public-private collaborations as areas for
features, use of consumer-grade operating systems and
improvement. A CISA program implemented under the
software with known vulnerabilities, and a culture of
Cybersecurity Information Sharing Act of 2015 to increase
general apathy in many enterprises. Industry groups assert
public-private sharing of cyber threat indicators and
they work closely with federal agencies to ensure
defensive measures via automated means elicited only
“collaboration and communication at every point.”
sparse participation, according to a 2019 interagency report
to Congress. CISA stated it was implementing changes.
Healthcare and Public Health Sector
The HPH Sector includes both private-sector and public-
A DHS after-action report on its Cyber Storm 2020 exercise
sector entities for patient care, medical research and
noted that some private-sector participants bypassed
development (R&D), pharmaceutical production, insurance,
established information-sharing channels, and were
and other purposes. Malicious cyber actors—sometimes
therefore less effective in responding to the simulated
with nation-state sponsorship or acquiescence—have
nation-state attack. The report called for DHS to increase
increasingly targeted the HPH Sector to acquire healthcare
outreach and clarify coordination pathways for private-
technology R&D, medical information, and patient data.
sector partners. It also called upon private-sector partners to
Disruption of public health functions may be an end in itself
share more information to help identify coordinated
in some cases.
cyberattacks.
The Department of Health and Human Services (HHS) is
A 2021 Belfer Center study of cybersecurity collaboration
the designated SRMA. Limited HHS regulatory authorities
between critical infrastructure owner-operators and
and programs focus on maintaining privacy of patient
government reported that established information channels
health information and the operational integrity of agency
were often left unused. “Many private-sector companies
computer systems.
don’t often see the government as a useful partner and
decline to work with them if they don’t have to,” it said.
HHS’s private-sector counterpart, the HPH Sector
Coordinating Council (SCC), has created several relevant
Recent Legislation
industry working groups in recent years to increase threat
In March 2022, Congress passed the Cyber Incident
reporting and analysis, information sharing, and adoption of
Reporting for Critical Infrastructure Act of 2022 as part of
best practices. The Cybersecurity Working Group reports
the Consolidated Appropriations Act, 2022 (H.R. 2471),
increasing stakeholder engagement. In addition, the Health-
which was signed by the President on March 15, 2022. It
ISAC has operated since 2010 and remains active.
requires covered critical infrastructure entities to report
certain breaches and ransom payments to CISA, among
A 2018 survey of 600 healthcare organizations on industry
other provisions. Also see CRS Report R46944,
adoption of cybersecurity best practices showed that most
Cybersecurity: Comparison of Selected Cyber Incident
organizations participate in one or more cybersecurity
Reporting Bills—In Brief, by Chris Jaikaran.
information-sharing and analysis organizations. Indicators
of substantive private-sector engagement with such
Brian E. Humphreys, Analyst in Science and Technology
organizations and adoption of best practices were more
Policy
mixed.
https://crsreports.congress.gov
Critical Infrastructure Security and Resilience: Countering Russian and Other Nation-State Cyber Threats
IF12061
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF12061 · VERSION 1 · NEW