Critical Infrastructure#

Reference of national-critical-infrastructure sector taxonomies used in cybersecurity, regulation, and incident-response work. The DHS / CISA 16-sector model is the US baseline; EU NIS2 defines a parallel set; each major country has its own list.

For sector-specific cyber threats, see Hacking and Malware. For agencies that protect them, see Law Enforcement and Intelligence Disciplines.

US: 16 Critical Infrastructure Sectors (PPD-21)#

Sector

Notes (Sector Risk Management Agency)

Chemical

DHS / CISA.

Commercial Facilit.

DHS / CISA.

Communications

DHS / CISA; telecoms, ISPs, cable.

Critical Manufactur

. DHS / CISA.

Dams

DHS / CISA.

Defense Industrial Base

DoD.

Emergency Services

DHS / CISA; LE, fire, EMS, search-and-rescue.

Energy

DOE; electric, oil, gas.

Financial Services

Treasury.

Food and Agricultur

e USDA + HHS / FDA.

Government Facilit.

DHS / CISA + GSA.

Healthcare and PH

HHS.

IT

DHS / CISA.

Nuclear Reactors, Materials, Waste

DHS / CISA + NRC.

Transportation Sys.

DHS / TSA + USCG (maritime).

Water and Wastewater

EPA.

EU NIS2 sectors (since 2024)#

Sector

Notes

Energy

electricity, district heating + cooling, oil, gas, hydrogen.

Transport

air, rail, water, road.

Banking

credit institutions.

Financial market infrastructure

MiFID-regulated.

Health

healthcare providers, EU pharma research, manufacturers of medical devices.

Drinking water Wastewater

suppliers + distributors.

Digital infrastructure

IXPs, DNS, TLD, cloud, data centers, CDNs, trust services (eIDAS), public electronic comms, MSPs.

ICT service mgmt.

MSPs, MSSPs.

Public administration

Gov entities.

Space, postal + courier, waste management

Ground-based infrastructure operators.

Manufacture / production / distribution of chemicals

Industrial chemicals supply chain.

Production / process / distribution of food

Agri-food supply chain.

Manufacturing of sectoral products

Medical, computer / electronic / optical, electrical, machinery, motor vehicles, transport equipment.

Digital providers

marketplace, search engine, social platforms.

Research

R&D institutes.

NIS2 splits entities into Essential (highest obligations) and Important (lighter); transposition deadline was Oct 2024.

UK Critical National Infrastructure (CNI)#

Sector

Lead

Chemicals

HSE.

Civil Nuclear

ONR.

Communications

DCMS / Ofcom.

Defence

MoD.

Emergency Services

Home Office + others.

Energy

DESNZ + Ofgem.

Finance

HMT + FCA + BoE.

Food

DEFRA + FSA.

Government

Cabinet Office.

Health

DHSC + NHS.

Space

UKSA + DSIT.

Transport

DfT + CAA.

Water

DEFRA + Ofwat.

Canada (Public Safety Canada)#

10 critical infrastructure sectors: Energy + utilities, Finance, Food, Transportation, Government, Information + communication technology, Health, Water, Safety, Manufacturing.

Australia (SOCI Act 2018, expanded 2022)#

11 critical sectors: Communications, Data + cloud, Defence industry, Energy, Financial services + markets, Food + grocery, Healthcare + medical, Higher education + research, Space technology, Transport, Water + sewerage.

Cross-sector frameworks#

Framework

Notes

NIST CSF 2.0

cybersecurity framework; voluntary baseline used by all sectors.

NIST SP 800-82

Industrial Control Systems security guide.

ISA / IEC 62443

ICS / OT security standard series.

NERC CIP

North American bulk-electric-system mandatory standards.

TSA Pipeline Security Directives

US natural-gas + hazardous liquid pipelines (2021+).

TSA Surface Transportation

freight rail, public transit, OTRB.

DOE C2M2

Cybersecurity Capability Maturity Model.

HITRUST CSF

healthcare baseline.

PCI DSS

payment-card industry.

Operator notes#

  • ICS / OT vs IT, separate networks, separate skill set, separate adversary tradecraft (TRITON, Industroyer, BlackEnergy showcase).

  • Air-gap reality, “air-gapped” rarely means truly isolated; USB / vendor laptop / backup network frequently bridge.

  • Vendor concentration, Schneider Electric, Siemens, Rockwell Automation, ABB, Emerson, Honeywell, GE Vernova are the dominant ICS vendors; vulnerabilities in their stacks cascade.

  • CRITICAL alerts, CISA / NCSC / BSI / ANSSI emit joint advisories on cross-border ICS threats; integrate into the detection pipeline.

  • Sector-ISACs, E-ISAC (electricity), FS-ISAC (financial), H-ISAC (health), DNG-ISAC (downstream natural gas), Auto-ISAC, Aviation-ISAC, etc. share threat intel within their sector.

References#