Critical infrastructure protection (CIP) refers to the coordinated effort by governments, operators, and international bodies to secure the physical and cyber systems that underpin essential services. Although the specific sectors classified as "critical" vary, most national frameworks include energy, water and wastewater, telecommunications, financial services, healthcare, transportation, food supply, and government services. The concept gained policy traction in the late 1990s as digital control systems became pervasive in industrial settings, exposing previously isolated operational technology (OT) to network-borne threats.
In the United States, Presidential Policy Directive 21 (PPD-21), issued in 2013, designates 16 critical infrastructure sectors and assigns sector risk management agencies. The Cybersecurity and Infrastructure Security Agency (CISA), established in 2018, coordinates federal CIP activity. The European Union adopted the NIS Directive in 2016 and replaced it with NIS2 (Directive (EU) 2022/2555), broadening scope and tightening incident-reporting obligations. The EU's Critical Entities Resilience (CER) Directive of 2022 addresses physical resilience in parallel.
Core CIP activities typically include:
- Risk assessment of dependencies and single points of failure
- Threat intelligence sharing, often through Information Sharing and Analysis Centers (ISACs)
- Standards adoption, such as the NIST Cybersecurity Framework or IEC 62443 for industrial control systems
- Incident response planning and mandatory breach notification
- Public-private partnership, since most infrastructure is privately owned in market economies
CIP has become central to debates on hybrid warfare and state-sponsored cyber activity. Incidents such as the 2015 and 2016 attacks on the Ukrainian power grid, the 2017 NotPetya campaign, and the 2021 Colonial Pipeline ransomware shutdown demonstrated that disruptive operations can produce strategic effects without kinetic force. At the UN level, discussions in the Open-Ended Working Group (OEWG) on ICT security have repeatedly addressed norms against attacking critical infrastructure, building on the 2015 report of the Group of Governmental Experts.
Example
In May 2021, a ransomware attack on Colonial Pipeline forced the operator to halt fuel deliveries across the U.S. East Coast, prompting an emergency declaration and accelerating CISA-led critical infrastructure protection mandates.
Frequently asked questions
It varies by jurisdiction. The U.S. PPD-21 lists 16 sectors including energy, water, finance, healthcare, and communications. The EU's NIS2 covers similar 'essential' and 'important' entities across comparable domains.
Keep learning