Implement Risk Management Activities
Decision makers prioritize activities to manage critical infrastructure risk based on the criticality of the affected infrastructure, the costs of such activities and the potential for risk reduction. Some risk management activities address multiple aspects of risk, while others are more targeted to address specific threats, vulnerabilities, or potential consequences. These activities can be divided into the following approaches:

Identify, Deter, Detect, Disrupt and Prepare for Threats and Hazards

  • Establish and implement joint plans and processes to evaluate needed increases in security and resilience measures, based on hazard warnings and threat reports.
  • Conduct continuous monitoring of cyber systems.
  • Employ security protection systems to detect or delay an attack or intrusion.
  • Detect malicious activities that threaten critical infrastructure and related operational activities across the sectors.
  • Implement intrusion detection or intrusion protection systems on sensitive or mission-critical networks and facilities to identify and prevent unauthorized access and exploitation.
  • Monitor critical infrastructure facilities and systems potentially targeted for attack (e.g., through local law enforcement and public utilities).

Reduce Vulnerabilities

  • Build security and resilience into the design and operation of assets, systems and networks.
  • Employ siting considerations when locating new infrastructure, such as avoiding floodplains, seismic zones and other risk-prone locations.
  • Develop and conduct training and exercise programs to enhance awareness and understanding of common vulnerabilities and possible mitigation strategies.
  • Leverage lessons learned and apply corrective actions from incidents and exercises to enhance protective measures.
  • Establish and execute business and government emergency action and continuity plans at the local and regional levels to facilitate the continued performance of critical functions during an emergency.
  • Address cyber vulnerabilities through continuous diagnostics and prioritization of high-risk vulnerabilities.
  • Undertake research and development efforts to reduce known cyber and physical vulnerabilities that have proved difficult or expensive to address.

Mitigate Consequences

  • Share information to support situational awareness and damage assessments of cyber and physical critical infrastructure during and after an incident, including the nature and extent of the threat, cascading effects and the status of the response.
  • Work to restore critical infrastructure operations following an incident.
  • Support the provision of essential services such as: emergency power to critical facilities; fuel supplies for emergency responders; and potable water, mobile communications and food and pharmaceuticals for the affected community.
  • Ensure that essential information is backed up on remote servers and that redundant processes are implemented for key functions, reducing the potential consequences of a cybersecurity incident.
  • Remove key operational functions from the Internet-connected business network, reducing the likelihood that a cybersecurity incident will result in compromise of essential services.
  • Ensure that incidents affecting cyber systems are fully contained; that asset, system, or network functionality is restored to pre-incident status; and that affected information is available in an uncompromised and secure state.
  • Recognize and account for interdependencies in response and recovery/restoration plans.
  • Repair or replace damaged infrastructure with cost-effective designs that are more secure and resilient.
  • Utilize and ensure the reliability of emergency communications capabilities.
  • Contribute to the development and execution of private sector, SLTT and regional priorities for both near- and long-term recovery.
The above activities are examples of risk management activities that are being undertaken to support the overall achievement of security and resilience, whether at an organizational, community, sector, or national level.

The Prioritization Process

The prioritization process, now incorporated into the Implement Risk Management Activities step of the NIPP risk management framework, involves aggregating, combining and analyzing risk assessment results to determine which assets, systems, networks, sectors, or combinations of these face the highest risk so that risk management priorities can be established.

It also provides the basis for understanding potential risk-mitigation benefits that are used to inform planning and resource decisions.

The NIPP risk management framework provides the process for developing comparable estimates of the risk relevant to critical infrastructure.

Comparing the risk faced by different entities helps identify where risk mitigation is needed and to subsequently determine and help justify the most cost-effective risk management options.

In addition, this prioritization process develops information that can be used during incident response to help inform decision makers regarding issues associated with critical infrastructure restoration.