Owners and Operators Critical Infrastructure Security-Related Activities

For many private sector enterprises, the level of investment in security reflects risk-versus-consequence tradeoffs that are based on two factors:

1. That which is known about the risk environment

  • The Federal Government is uniquely positioned to help inform investment decisions and operational planning.
  • Owners and operators may look to the government and information sharing and analysis organizations like Information Sharing and Analysis Centers (ISACs) as a source of security-related best practices and for attack or natural hazard indications, warnings and threat assessments.
2. That which is economically justifiable and sustainable in a competitive marketplace or within resource constraints.
  • Owners and operators may rely on government entities or participate in collective efforts with other owners and operators to address risks outside of their property or in situations in which the current threat exceeds an enterprise’s capability to protect itself or requires an unreasonable level of additional investment to mitigate risk.
  • In this situation, public and private sector partners at all levels collaborate to address the security and resilience of national-level critical infrastructure, provide timely warnings and promote an environment in which critical infrastructure owners and operators can carry out their specific responsibilities.
Critical infrastructure owners and operators participate in many cyber risk mitigation activities including
  • Cybersecurity information-sharing efforts (e.g., sector-specific cyber working groups, the Cross-Sector Cybersecurity Working Group and the Industrial Control Systems Joint Working Group),
  • Cyber risk assessments,
  • Cybersecurity exercises,
  • Cyber incident response and recovery efforts and
  • Cyber metrics development.
The roles of specific owners and operators vary widely within and across sectors. Some sectors have statutory and regulatory frameworks that affect private sector security operations within the sector; however, most are guided by a voluntary focus on security and resilience or adherence to industry-promoted best practices.
Critical infrastructure owners and operators may contribute to national critical infrastructure security and resilience efforts through a range of activities. These activities may include but are not limited to:
  • Performing critical infrastructure risk assessments;
  • Understanding dependencies and interdependencies;
  • Developing and coordinating emergency response plans with appropriate Federal and SLTT government authorities;
  • Establishing continuity plans and programs that facilitate the performance of lifeline functions during an incident;
  • Participating in critical infrastructure-focused training and exercise activities with public and private sector partners; and
  • Contributing technical expertise to the critical infrastructure security and resilience efforts of DHS and the SSAs.