Posted: April 24th, 2025
I
1. What do you think is the most difficult of the 18 CIKR sectors to protect, and why?
Course Textbook(s)
Lewis, T. G. (2020). Critical infrastructure protection in homeland security: Defending a networked nation (3rd ed.). Wiley. https://online.vitalsource.com/#/books/9781119614562
CYB 4303, Critical Infrastructure Protection in Cybersecurity 1
Upon completion of this unit, students should be able to:
1. Evaluate the various sectors of critical infrastructure protection (CIP) in the United States.
1.1 Outline the critical sectors and infrastructures identified in the National Infrastructure Protection
Plan (NIPP).
4. Examine cybersecurity challenges within critical infrastructure protection (CIP) in the United
States.
4.1 Discuss how the different catastrophe theories apply to Critical Information and Key
Resources (CIKR) systems.
Chapter 1: Origins of Critical Infrastructure Protection
Chapter 3: Theories of Catastrophe
Introduction
Over the last five decades, the world has become interdependent and interconnected both from a cyber-
based and physical perspective. In the United States, the nation’s critical infrastructure has reached a high
level of complexity encompassing not only one sector but also all sectors relying on each other to sustain
essential economic and governmental operations. As the graphic below outlines, these sectors include the
eight critical Infrastructure sectors: banking and finance, emergency law enforcement services, emergency
services, energy, information and communication, public health services, transportation, and water supplies.
Because of advances in technology and the necessity of needed efficiencies, these sectors, systems, and
assets have become increasingly interlinked and automated.
UNIT I STUDY GUIDE
Origins of Critical Infrastructure
Protection
CYB 4303, Critical Infrastructure Protection in Cybersecurity 2
UNIT x STUDY GUIDE
Title
Critical Infrastructure Protection (CIP) History
From where did the idea of critical infrastructure protection (CIP) come? The
history of CIP goes back many centuries. In the 3rd century BC, the Chinese
emperor, Qin Shi Huang, devised a system to protect and reinforce, in many
strategic areas, the Great Wall of China. In key territories, a massive army of
soldiers continuously maintained, fortified, and protected the wall. The Great
Wall had thousands of guard towers distributed at specific intervals. In ancient
Rome, Roman aqueducts were critical to Rome’s cities and thus developed
protections to safeguard this critical infrastructure. Assante (2009) noted that
the critical nature of the aqueducts is best understood by an inscription found in
Lyons, France, regarding ancient Roman law, which states “By command of
Emperor Trajanus Hadrianus Augustus, no one is permitted to plough, sow, or
plant within the space determined for protection of the aqueduct” (p. 2).
The Chinese and Romans understood the importance of protecting critical
assets. The Chinese and Romans proactively addressed security when building
their infrastructures. As an example, it is not insignificant that the first Roman
aqueduct was built underground as a security measure as Figure 2 depicts
(Assante, 2009).
More recently, in 1963, John F. Kennedy created the National Communication
System, or NCS, to facilitate the government’s ability to communicate during
emergency scenarios. In 1979, the Federal Emergency Management Agency (FEMA) was established to
Banking & Finance
•Banking & Stock Markets
•Sector-specific agency: Treasury
Emergency Law Enforcement
Services
•Justice/FBI
•Sector-specific agency: FBI
Emergency Services
•Emergency Fire and Continuity of
Government
•Sector-specific agency: FEMA
Energy
•Electric Power, Gas and Oil production and
storage
•Sector-specific agency: Energy
Information & Communications
•Telecommunications and the Internet
•Sector-specific agency: Commerce
Public Health Services
•Public health, surveillance, laboratory
services, and personal health services
•Sector-specific agency: HHS
Transportation
•Aviation, Highways, Mass Transit, Rail,
Pipelines, Shipping
•Sector-specific agency: Transportation
Water Supply
•Water and its distribution
•Sector-specific agency: Environmental
Protection Agency
Figure 1. Eight Critical Infrastructure Sectors
(Lewis, 2020; 12019, 2012; Breher, 2015; LEEROY Agency, 2014; lkaika, 2015; Muhammad, 2018; Petra,
2009; Pexels, 2016; skeeze, 2015)
Figure 2. Roman aqueduct built
underground as a security measure
(Bukvoed, 2017)
CYB 4303, Critical Infrastructure Protection in Cybersecurity 3
UNIT x STUDY GUIDE
Title
manage and coordinate events such as hurricane and earthquake hazard reduction. Terrorist events in the
1980s and 1990s led Bill Clinton to establish the President’s Commission on Critical Infrastructure in 1998
(Lewis, 2020). As illustrated in Figure 1, the commission’s work resulted in the identification of the eight
critical infrastructure sectors in the Presidential Decision Directive 63 of 1998 (Lewis, 2020).
The events of September 11, 2001 brought about significant changes and expansion of critical infrastructure
protection. Following 9/11, the U.S. government expanded its security framework directives to protect
additional areas at the state and local levels. According to Hart and Ramsay (2011), the National Strategy for
Homeland Security was released in 2002, the National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets and Homeland Security Presidential Directive 7 replaced PDD63 in 2003, and
the publication of the National Infrastructure Protection Plan (NIPP) was released in 2006 with major revisions
introduced in 2009. In 2003, Homeland Security Presidential Directive 7 was authorized to replace PDD63.
Homeland Security Presidential Directive 7, in essence, expanded the protected critical sectors to 13 areas
and added five key resource areas making it 18 Critical Infrastructure and Key Resources (CIKR) sectors
(Hart & Ramsay, 2011). The additional critical sectors included agriculture and food, defense industrial base,
national monuments and icons, chemical, commercial facilities, critical manufacturing, dams, nuclear power
plants, information technology, and postal and shipping (NIPP, 2013).
Critical Information and Key Resources (CIKR)
The interconnectedness of the nation’s critical sectors has introduced vulnerabilities at many levels.
Vulnerabilities are present stemming from natural disasters, human error, and equipment failures as well as
physical attacks and cyberattacks over communication lines. Lewis (2020) stated that because of the
multifaceted nature of critical infrastructure protection (CIP), security of these sectors is a difficult task.
The National Infrastructure Protection Plan (NIPP) identifies critical infrastructure as “systems and assets,
whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and
assets would have a debilitating impact on security, national economic security, national public health or
safety, or any combination of those matters” (NIPP, 2013, p. 7). The NIPP also expanded the original eight
sectors defined by PDD63 to 18 as depicted in Table 1 below. The original eight are shown in orange with the
expanded sectors shown in purple.
Agriculture and Food Water Nuclear Reactors
Defense Industrial Base Chemical Information Technology
Energy Commercial Facilities Communications
Healthcare and Public Health Critical Manufacturing Postal & Shipping
National Monuments & Icons Dams Transportation Systems
Banking and Finance Emergency Services Government Facilities
Table 1. Eighteen critical infrastructure and key resource (CIKR) sectors
(NIPP, 2013, p. 9)
As we will cover throughout this course, each CIKR sector has physical, human, and cyber elements. The
impact of each element within each sector and associated vulnerabilities vary from sector to sector. Many
sectors, such as energy, water, and government structures, are heavily reliant on physical components while
others, such as information technology, communications, and transportation systems, have mostly cyber
elements. The air traffic control (ATC) system, as an example, relies heavily on technology to function.
According to the Critical Infrastructures 2003 Report from Congress, the ATC system handles around 3.5
million aircraft movements per month (Moteff, Copeland, & Fischer, 2003). Air transportation systems in the
world including major hubs in the United States rely heavily on computer systems, making them vulnerable to
CORE CONCEPTS
Critical Infrastructures refer to systems such as communication, transportation, waterway,
and financial systems as well as assets such as nuclear plants and major airports so vital to
the economy and security of the United States that their failure or destruction would have an
incapacitating impact on the country (NIPP, 2013).
CYB 4303, Critical Infrastructure Protection in Cybersecurity 4
UNIT x STUDY GUIDE
Title
cyberattacks. The same can be said for electrical power systems, water supplies, banking and finance
systems, and emergency services.
Cybersecurity
Cybersecurity is the protection against the criminal or unauthorized use of electronic data. Because critical
infrastructures make up the backbone of our nation’s economy, health, and security, it stands to reason that
they need protection. Approximately 85% of the critical infrastructures are owned by the private sector, which
makes protection of assets a more complex endeavor (Lewis, 2020).
Barack Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity because critical
infrastructures are so essential to national economic security and national public health and safety. “It is the
policy of the United States Government to increase the volume, timeliness, and quality of cyber threat
information shared with U.S. private sector entities so that these entities may better protect and defend
themselves against cyber threats” (The White House: Office of the Press Secretary, 2013, para. 5). The
National Infrastructure Protection Plan (NIPP) outlines how government and private sector participants work
together to manage risks and achieve security and resilient outcomes.
Policy
Critical infrastructure protection (CIP) starts with policy. All CIP activities take place within policy, laws,
strategy, and plans. Policies and laws provide the authority to implement CIP as written in the Homeland
Security Act of 2002. This act is a mandate to provide the Department of Homeland Security with the proper
authority and assign reporting agencies and policy to establish a framework for the dissemination and sharing
of information affecting critical infrastructures and key resources (Hart & Ramsay, 2011). Other important
presidential directives outlining policy regarding CIP include the Homeland Security Presidential Directives
(HSPD). Of these, HSPD 7 is critical in understanding CIP. HSPD 7 “establishes a national policy for federal
departments and agencies to identify and prioritize United States critical infrastructure and key resources and
to protect them from terrorist attacks” (Department of Homeland Security, 2003, para. 3).
Summary
Critical infrastructure protection (CIP) started long before the events of 9/11. Plans for the protection of key
resources had been proposed, and some implemented, as early as the 1960s. The 9/11 events just
accelerated the proposals already in process as well as identified other areas critical to national security. As
the course progresses, we will examine CIP, its history, and the nation’s CIKRs, including an overview of the
different elements and their impacts within each sector. While there are many cross-sector interdependencies
to review, we will concentrate on the dependencies of the different sectors as they relate to information
technology and the Internet with a focus on highly complex computer-controlled systems. Last, we will also
discuss the major agencies created by the government and their roles in protecting CIKRs. For this unit, the
chapter reading introduces you to the origins of critical infrastructure protection and to the theories of
catastrophe.
References
12019. (2012). Surgery-operation-hospital [Photograph]. Pixabay. https://pixabay.com/en/surgery-operation-
hospital-79584/
Assante, M. J. (2009). Infrastructure protection in the ancient world. Cite Seer X.
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.401.7316&rep=rep1&type=pdf
Breher, T. (2015). Bank note Dollar USD US-dollar money funds bills [Photograph]. Pixabay.
https://pixabay.com/en/bank-note-dollar-usd-us-dollar-941246/
Bukvoed. (2017). Mey-Kedem-H [Photograph]. Wikimedia Commons.
https://commons.wikimedia.org/wiki/File:Mey-Kedem-H-14309
CYB 4303, Critical Infrastructure Protection in Cybersecurity 5
UNIT x STUDY GUIDE
Title
Department of Homeland Security. (2003). Homeland Security Presidential Directive 7: Critical infrastructure
identification, prioritization, and protection. https://www.dhs.gov/homeland-security-presidential-
directive-7
Hart, S., & Ramsay, J. D. (2011). A guide for Homeland Security instructors preparing physical critical
infrastructure protection courses. Homeland Security Affairs, 7(1). 1-27. https://search-proquest-
com.libraryresources.columbiasouthern.edu/docview/1266215283?accountid=33337
LEEROY Agency. (2014). Antenna tower transmission communication [Photograph]. Pixabay.
https://pixabay.com/en/antenna-tower-transmission-498438/
Lewis, T. G. (2020). Critical infrastructure protection in homeland security: Defending a networked nation (3rd
ed.). Wiley.
lkaika. (2015). Pipe water plumbing industrial construction [Photograph]. Pixabay.
https://pixabay.com/en/pipe-water-plumbing-industrial-1159854/
Moteff, J., Copeland, C., & Fischer, J. (2003). Critical infrastructures: What makes an infrastructure critical?
Federaltion of American Scientists. https://fas.org/irp/crs/RL31556
Muhammad, F. (2018). Emergency room hospital ambulance rescue Houston [Photograph]. Pixabay.
https://pixabay.com/en/emergency-room-hospital-ambulance-3323451/
NIPP (2013). U.S. Department of Homeland Security, National Infrastructure Protection Plan. Department of
Homeland Security. https://www.dhs.gov/sites/default/files/publications/national-infrastructure-
protection-plan-2013-508
Petra. (2009). MI promotion Sasketchewan prairie oil production [Photograph]. Pixabay.
https://pixabay.com/en/mi-promotion-sasketchewan-prairie-1044575/
Pexels. (2016). Train transportation platform railroad metro [Photograph]. Pixabay.
https://pixabay.com/en/train-transportation-platform-1285288/
skeeze. (2015). Police highway patrol SWAT team California CHP [Photograph]. Pixabay.
https://pixabay.com/en/police-highway-patrol-swat-team-755410/
The White House, Office of the Press Secretary. (2013, February 12). Executive Order-Improving critical
infrastructure cybersecurity [Press release]. https://obamawhitehouse.archives.gov/the-press-
office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
In order to access the following resources, click the links below.
In the textbook, Figure 3.3 shows how the sand pile experiment simulates a landslide (Lewis, 2020, p. 49).
The Lewis Sandpile video shows an animation of these tables changing during the experiment. Note that
there is no audio in this video.
In the textbook, Figure 3.4 shows diagrams of three Tragedy of Commons scenarios (Lewis, 2020, p. 53). The
Lewis Tragedy of the Commons video in the list found here shows an animation of these tables changing over
time. Note that there is no audio in this video.
In the textbook, Figure 3.6 shows two diagrams of an electric power grid Tragedy of Commons, with
increasingly fragile power grid due to inadequate transmissions (Lewis, 2020, p. 55). The Lewis Transmission
video shows an animation of these tables changing over time. Note that there is no audio in this video.
https://www.wiley.com/legacy/wileychi/lewis/Theories.html?type=SupplementaryMaterial
https://www.wiley.com/legacy/wileychi/lewis/Theories.html?type=SupplementaryMaterial
https://www.wiley.com/legacy/wileychi/lewis/Theories.html?type=SupplementaryMaterial
https://www.wiley.com/legacy/wileychi/lewis/Theories.html?type=SupplementaryMaterial
https://www.wiley.com/legacy/wileychi/lewis/Theories.html?type=SupplementaryMaterial
-
Course Learning Outcomes for Unit I
Required Unit Resources
Unit Lesson
Introduction
Critical Infrastructure Protection (CIP) History
Critical Information and Key Resources (CIKR)
Cybersecurity
Policy
Summary
References
Suggested Unit Resources
Expert paper writers are just a few clicks away
Place an order in 3 easy steps. Takes less than 5 mins.