Critical Infrastructure Protection

What is critical infrastructure protection?

Americans rely on critical infrastructures to protect the nation, maintain a strong economy, and enhance quality of life. These infrastructures—which include the electrical power grid, transportation systems, information networks, banking and finance systems, manufacturing and distribution, and more—are evolving and modernizing. They have become increasingly complex, connected, and vulnerable to adverse conditions, such as cyber and physical attacks.

To secure our national economy and the livelihood of all citizens, the United States must protect its critical infrastructures. In fact, the federal government has identified 16 critical infrastructure sectors that are considered so essential that if they sustained an attack or disruption, there would be debilitating effects on national security, public health or safety, the economy, or all the above. Securing these systems from cyber or physical threats is increasingly important—and challenging—as these threats become more complex, persistent, and destructive.

The twenty-first century system of commerce, energy, and security revolves around the ability to exchange information through the Internet. The same goes for our energy systems, which are working toward faster and more sustainable designs to support the integration of clean energy resources into the grid and slow the pace—and deadly impacts—of climate change.

Meanwhile, cybercriminals are becoming more and more sophisticated and are aiming at larger targets. Federal and state government databases, regional utilities, health care systems, and large credit card and consumer shopping enterprises have all been victims of malicious hackers.

It has never been more crucial to protect this critical physical and cyber infrastructure to assure the health and security of every citizen and the longevity of the planet. It will take the combined efforts of both federal and private investments in research and development to make it happen.

Protecting our nation’s cyber and physical critical infrastructure—and making it more resilient—is a national imperative, and everyone has a stake in it.

It’s important to protect the critical infrastructure on which society depends for commerce, energy, communication, manufacturing, and more. (Image by KoSSSmoSSS |

The history of critical infrastructure protection

Roads, railways, and telephone lines began spreading across the United States in the late eighteenth and early nineteenth centuries. In the 1930s, large-scale hydropower plants began generating electricity for a growing nation while also providing water reserves for a booming farming business in western dryland areas.  

Electricity transmission and distribution systems followed suit, and by the 1950s, energy became readily available across larger swaths of the United States. Regional utilities could exchange electricity on the open market, helping to keep energy prices reasonable for consumers and industry. In the same era, the interstate highway system was completed, and airline passenger service began in earnest. All the elements were in place for a bustling national economy.

In the late 1950s, computers running on integrated circuits emerged from government laboratories into the public domain, and the World Wide Web made its debut in the 1990s. Subsequent consumer-driven capabilities marked a turning point in computing, commerce, and society.  

Meanwhile, scientists began warning of the effects of fossil fuels on Earth’s atmosphere based on a trajectory of carbon dioxide measurements starting in 1958. The trajectory, known as the Keeling Curve, continues to rise to this day.

Protection of critical U.S. infrastructure was first formally recognized as a national priority in 1998, when then-President Bill Clinton issued Executive Order 13010, establishing a Commission on Critical Infrastructure Protection. Since that time, numerous White House administrations have supported various efforts to shore up America’s physical and cyber infrastructure.

In 2018, then-President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018, establishing the Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security. The agency’s primary job is to understand and manage cyber and physical risk to the nation’s critical infrastructure—with the goal of making this infrastructure more secure and resilient.

The importance of critical infrastructure protection

U.S. ingenuity, supported by both the public and private sector, created one of the world’s most efficient infrastructures for the exchange of goods and services. Advances in computing and the game-changing arrival of the Internet have led to countless benefits, opportunities, and efficiencies across nearly every sector of our society.

Threats to this infrastructure, however, are growing more complex by the day—whether these threats are digital, physical, man-made, technological, or natural. As CISA put it, the threats we face “… are more complex, and the threat actors more diverse, than at any point in our history.”

At the same time, a number of factors are making the nation’s critical infrastructure increasingly vulnerable to these threats. The electric grid is being pushed far beyond its original design, while roads, bridges, and tunnels are succumbing to the toll of age, use, and weather. Climate change is wreaking havoc on communities across the country with more frequent and intense natural disasters and weather events. Communities are being devasted by more frequent and intense wildfires, storms, and hurricanes—and extended droughts threaten water supplies.

For example, in February 2021, several days of unusually bitter-cold temperatures in Texas overwhelmed the energy system and caused complete grid failure—leaving millions in the state without power, heat, or potable water. This crisis blatantly exposed energy system vulnerabilities and highlighted the pressing need to better protect critical infrastructure from extreme weather.

Further, cyberattacks are a rapidly evolving threat to critical infrastructure and one of the “most significant and growing issues confronting our nation,” according to a White House July 2021 “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The memo recognizes that the systems that control and operate the nation’s critical infrastructure are increasingly vulnerable. In the statement, President Joe Biden said, “The degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.”

Hackers are infiltrating both public and private computer networks, looking to disrupt the U.S. economy or steal money. Strategic targets include the utility industry, government or public agencies, and financial institutions. Fraud and phishing scams tend to target large retail companies; victims include users of Facebook, Target, Adobe, Equifax, and Marriott. Further, recent high-profile attacks on critical infrastructure—such as a gas pipeline and meat production company—have put a spotlight on the pressing importance of securing networks that operate these systems.

Hackers pose an increasingly dangerous threat to critical infrastructure. (Image by xijian |

Federal efforts spearhead critical infrastructure protection

There has been heightened attention from the nation’s leaders in recent years on the urgent need for critical infrastructure protection.  

As mentioned previously, CISA—which identifies itself as “the nation’s risk advisor,” was formed in 2018 to coordinate efforts with partners across the country to make critical infrastructures more resilient and secure. Building stronger emergency and response communications is a key part of this effort. According to the agency’s website, CISA “conducts extensive, nationwide outreach to support and promote the ability of emergency response providers and relevant government officials to continue to communicate in the event of a natural disaster, act of terrorism, or other man-made disaster.”

In July 2021, on the heels of several significant cyberattacks on U.S. critical infrastructure, President Biden announced additional actions to protect the nation’s critical infrastructure. This included a directive to CISA and the Department of Commerce’s National Institute of Standards and Technology to collaborate with other agencies to develop cybersecurity performance standards for critical infrastructure, which are expected to help companies responsible for providing essential services like power, water, and transportation to strengthen their defense against cyberattacks.

Also, in support of the president’s climate goals, the Department of Energy (DOE) is working toward a 100 percent carbon-free power sector by 2035. One way to achieve this is through grid modernization. The DOE Office of Electricity supports research and development to optimize power delivery and enhance resilience and decrease vulnerabilities of these systems to threats. 

In March 2021, DOE’s Cybersecurity, Energy Security, and Emergency Response announced new programs to ramp up critical infrastructure protections to assist electricity, oil, and natural gas industries. The efforts intend to shore up potential global supply chain security vulnerabilities, protect critical infrastructure from electromagnetic and geomagnetic interference, and build a research and talent pipeline for next-generation cybersecurity. The programs will bring together key partners from industry, states, and universities with the expertise and inventiveness needed to enhance energy sector resilience.

These are just some of the federal efforts that have been ramped up recently to improve critical infrastructure protection.

How Pacific Northwest National Laboratory advances critical infrastructure protection

Through scientific discovery and engineering advancements, Pacific Northwest National Laboratory (PNNL) works to not only disrupt and deter digital and physical threats to critical infrastructure, but also to make these important systems more reliable and resilient.

Current cybersecurity research and development efforts are focused on understanding, evaluating, and developing trusted systems for critical infrastructure. Specifically, cyber researchers are looking at ways to improve software-enabled systems’ resilience through revolutionary technologies based on autonomic controls—similar to how the human body coordinates its complex semi-autonomous subsystems. With deep expertise in artificial intelligence and human-machine teaming, PNNL provides the science foundation to accelerate the discovery of complex threat indicators in these systems and to create autonomous resilience—systems that predict and mitigate consequences of failure across linked cyber and physical domains.

In 2021, PNNL launched the Resilience Through Data-Driven, Intelligently Designed Control (RD2C) Laboratory Directed Research and Development initiative. RD2C aims to facilitate research that will advance critical infrastructure protection and increase the understanding of how the cyber-physical systems that drive critical infrastructure behave under adverse conditions—such as cyber and physical attacks, faults, and natural or man-made disasters. Drawing on PNNL’s deep expertise and experience in cybersecurity and power systems, the initiative is anchored by a multidisciplinary team of scientists and engineers trained in control and optimization theory, data sciences, and computational mathematics.

Additionally, using its expertise in advancing the mathematical and computational foundations of risk modeling, PNNL works to improve defense of power system assets and to increase supply chain security for energy systems. As part of this work, PNNL developed the Dynamic Contingency Analysis Tool. Utilities and organizations can use the software to anticipate potential disruptions and manage power and grid instability during extreme events. The tool can be used to avoid blackouts and to prioritize how and where to restore power.

Further, researchers can use PNNL’s remotely accessible Power Networking, Equipment, and Technology (powerNET) testbed to analyze and evaluate the security and resilience of power grid technologies. Integrating real-world equipment with virtual and simulation capabilities, the powerNET testbed enables the research and development of new tools and methods for defending against and mitigating growing physical and digital threats to energy control systems.   

PNNL experts are also helping to mitigate climate issues that can affect the security of our nation’s critical infrastructures. For example, scientists used artificial intelligence techniques to create a forecasting model that can more accurately predict the intensity of hurricanes. PNNL is also contributing to the discussion on how natural barriers can help protect infrastructure from damaging floods.

From computational and climate scientists, to software developers and cybersecurity experts, to power systems engineers and data scientists, PNNL researchers are advancing the methodologies, algorithms, and tools to protect critical infrastructure and enable more secure, reliable, and resilient systems on which society depends.

powerNET testbed
PNNL’s powerNET testbed helps researchers unearth vulnerabilities in energy control systems and to develop solutions for securing critical operating systems. (Photo by Andrea Starr | Pacific Northwest National Laboratory)