Threats to Critical Infrastructure

A Survey

Bridget R. Kane, Stephen Webber, Katherine H. Tucker, Sam Wallace, Joan Chang, Devin McCarthy, Dennis Murphy, Daniel Egel, Tom Wingfield

ResearchPublished Jun 11, 2024

U.S. critical infrastructure supports the prosperity of the nation and its people. It permeates the daily lives of citizens, underpinning the safety and security of the general public and ensuring the economic well-being of the nation, yet the health of these assets, systems, networks, and facilities is often taken for granted. In this report, the authors analyze threats and hazards to critical infrastructure and examine the vectors by which an adversary might conduct attacks against the homeland. They also look at the cascading effects of an attack and other impacts resulting from infrastructure age and maintenance and from weather challenges, and they offer characterizations of various types of threat actors and vectors to raise awareness of systemic vulnerabilities and threat environments that can affect critical U.S. infrastructure.

Key Findings

  • For this report, critical infrastructure is broadly defined as systems and assets so vital to the United States that their loss would have a debilitating effect on national security, public health, or safety. The authors divide these assets into seven sectors: energy, transportation, financial services, communications, health care, water, and municipal services.
  • Impacts resulting from critical infrastructure attacks or vulnerabilities are often intensified by interdependencies and cascading effects across sectors and geographic boundaries; therefore, singular events are not really singular and will have outsize effects.
  • There is a high degree of interdependence in some sectors; the resulting difficulty in isolating the effects of an attack to a single actor or category makes attribution particularly challenging.
  • Hesitancy by private organizations to share details about specific threats or threat actors often stems from concerns regarding customer confidence, legal liabilities, or proprietary technology; this hinders information-sharing efforts, planning, response, recovery, and collaboration between affected entities and other stakeholders.
  • Infrastructure protection often requires a deep understanding of targeted infrastructure; highly trained individuals are needed to address these mitigations at the system level and work with other sector experts on cross-sector impacts.
  • Some sectors have underinvested in much-needed enhancements to infrastructure networks, assets, systems, and facilities; this increases the likelihood of disruption and interruption of services.
  • Sector authorities are often decentralized, and assets are largely privatized; resulting silos can create challenges in coordination and complicate efforts to maintain and enhance critical infrastructure.

Topics

Document Details

Citation

RAND Style Manual
Kane, Bridget R., Stephen Webber, Katherine H. Tucker, Sam Wallace, Joan Chang, Devin McCarthy, Dennis Murphy, Daniel Egel, and Tom Wingfield, Threats to Critical Infrastructure: A Survey, RAND Corporation, RR-A2397-2, 2024. As of September 9, 2024: https://www.rand.org/pubs/research_reports/RRA2397-2.html
Chicago Manual of Style
Kane, Bridget R., Stephen Webber, Katherine H. Tucker, Sam Wallace, Joan Chang, Devin McCarthy, Dennis Murphy, Daniel Egel, and Tom Wingfield, Threats to Critical Infrastructure: A Survey. Santa Monica, CA: RAND Corporation, 2024. https://www.rand.org/pubs/research_reports/RRA2397-2.html.
BibTeX RIS

This research was sponsored by the Office of the Director of National Intelligence and conducted within the International Security and Defense Policy Program of the RAND National Security Research Division.

This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.