CISA is Evolving How it Defines Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) is starting to move away from broad sector-based classification of critical infrastructure and instead focusing on the specific assets and systems that adversaries are most likely to target, Acting Director Nick Andersen said Wednesday.

Speaking at the Defend the Airport Collaborative conference in Columbia, Maryland, Andersen said the agency is prioritizing what he described as the “crown jewels” of critical infrastructure — the systems whose disruption could have the greatest impact on public safety, economic stability or national security.

“The American public will not forgive us for not being resilient,” Andersen said. “When we start doing that, that gets us to an actual tangible attack surface that we can manage in a realistic and reasonable way, and we can make some real investments.”

To support this approach, Andersen said CISA plans to launch new coordination efforts with infrastructure operators and original equipment manufacturers in the coming weeks.

Andersen said the goal is to improve security while reducing technical burden placed on infrastructure operators.

“It’s going to ease the burden wherever possible on the owner operators to not have to have SME-level technical expertise in every single product and product type that they are operating in order to operate in a secure way,” he said.

AI and the Convergence of IT and OT

The comments come when the convergence of information technology and operational technology has prompted the federal government to rethink what constitutes critical infrastructure.

Andersen described modern infrastructure as dependent on digital systems, noting that even airplanes have effectively become “computers with wings.”

“Our adversaries seek to not just target technical infrastructure for the sake of targeting technical infrastructure, they are seeking to have a significant psychological impact on the American public,” Andersen said Wednesday.

Rather than categorizing entire industries as critical infrastructure, Andersen said CISA is focused on identifying the specific systems whose compromise would be most impactful in the real world. Examples could include power grid connections, communications networks, transportation systems and health care databases.

Despite calls from some industry sectors to label artificial intelligence as critical infrastructure, Andersen reinforced CISA’s view that those technologies are capabilities that depend on the underlying infrastructure.

“The things that go into AI and make it work are probably critical,” Andersen said, citing communications infrastructure and data centers. “When we look at critical infrastructure, [AI is] something that is generated and derived from things that critical infrastructure support and provide.”

Andersen warned that cyberattacks against civilian infrastructure are becoming more likely as adversaries position themselves inside networks that support essential services.

“Civilian critical infrastructure is no longer off limits,” he said. “It has to reshape our thinking and reshape the priorities that we have.”