Critical Infrastructure#
Reference of national-critical-infrastructure sector taxonomies used in cybersecurity, regulation, and incident-response work. The DHS / CISA 16-sector model is the US baseline; EU NIS2 defines a parallel set; each major country has its own list.
For sector-specific cyber threats, see Hacking and Malware. For agencies that protect them, see Law Enforcement and Intelligence Disciplines.
US: 16 Critical Infrastructure Sectors (PPD-21)#
Sector |
Notes (Sector Risk Management Agency) |
|---|---|
Chemical |
DHS / CISA. |
Commercial Facilit. |
DHS / CISA. |
Communications |
DHS / CISA; telecoms, ISPs, cable. |
Critical Manufactur |
. DHS / CISA. |
Dams |
DHS / CISA. |
Defense Industrial Base |
DoD. |
Emergency Services |
DHS / CISA; LE, fire, EMS, search-and-rescue. |
Energy |
DOE; electric, oil, gas. |
Financial Services |
Treasury. |
Food and Agricultur |
e USDA + HHS / FDA. |
Government Facilit. |
DHS / CISA + GSA. |
Healthcare and PH |
HHS. |
IT |
DHS / CISA. |
Nuclear Reactors, Materials, Waste |
DHS / CISA + NRC. |
Transportation Sys. |
DHS / TSA + USCG (maritime). |
Water and Wastewater |
EPA. |
EU NIS2 sectors (since 2024)#
Sector |
Notes |
|---|---|
Energy |
electricity, district heating + cooling, oil, gas, hydrogen. |
Transport |
air, rail, water, road. |
Banking |
credit institutions. |
Financial market infrastructure |
MiFID-regulated. |
Health |
healthcare providers, EU pharma research, manufacturers of medical devices. |
Drinking water Wastewater |
suppliers + distributors. |
Digital infrastructure |
IXPs, DNS, TLD, cloud, data centers, CDNs, trust services (eIDAS), public electronic comms, MSPs. |
ICT service mgmt. |
MSPs, MSSPs. |
Public administration |
Gov entities. |
Space, postal + courier, waste management |
Ground-based infrastructure operators. |
Manufacture / production / distribution of chemicals |
Industrial chemicals supply chain. |
Production / process / distribution of food |
Agri-food supply chain. |
Manufacturing of sectoral products |
Medical, computer / electronic / optical, electrical, machinery, motor vehicles, transport equipment. |
Digital providers |
marketplace, search engine, social platforms. |
Research |
R&D institutes. |
NIS2 splits entities into Essential (highest obligations) and Important (lighter); transposition deadline was Oct 2024.
UK Critical National Infrastructure (CNI)#
Sector |
Lead |
|---|---|
Chemicals |
HSE. |
Civil Nuclear |
ONR. |
Communications |
DCMS / Ofcom. |
Defence |
MoD. |
Emergency Services |
Home Office + others. |
Energy |
DESNZ + Ofgem. |
Finance |
HMT + FCA + BoE. |
Food |
DEFRA + FSA. |
Government |
Cabinet Office. |
Health |
DHSC + NHS. |
Space |
UKSA + DSIT. |
Transport |
DfT + CAA. |
Water |
DEFRA + Ofwat. |
Canada (Public Safety Canada)#
10 critical infrastructure sectors: Energy + utilities, Finance, Food, Transportation, Government, Information + communication technology, Health, Water, Safety, Manufacturing.
Australia (SOCI Act 2018, expanded 2022)#
11 critical sectors: Communications, Data + cloud, Defence industry, Energy, Financial services + markets, Food + grocery, Healthcare + medical, Higher education + research, Space technology, Transport, Water + sewerage.
Cross-sector frameworks#
Framework |
Notes |
|---|---|
NIST CSF 2.0 |
cybersecurity framework; voluntary baseline used by all sectors. |
NIST SP 800-82 |
Industrial Control Systems security guide. |
ISA / IEC 62443 |
ICS / OT security standard series. |
NERC CIP |
North American bulk-electric-system mandatory standards. |
TSA Pipeline Security Directives |
US natural-gas + hazardous liquid pipelines (2021+). |
TSA Surface Transportation |
freight rail, public transit, OTRB. |
DOE C2M2 |
Cybersecurity Capability Maturity Model. |
HITRUST CSF |
healthcare baseline. |
PCI DSS |
payment-card industry. |
Operator notes#
ICS / OT vs IT, separate networks, separate skill set, separate adversary tradecraft (TRITON, Industroyer, BlackEnergy showcase).
Air-gap reality, “air-gapped” rarely means truly isolated; USB / vendor laptop / backup network frequently bridge.
Vendor concentration, Schneider Electric, Siemens, Rockwell Automation, ABB, Emerson, Honeywell, GE Vernova are the dominant ICS vendors; vulnerabilities in their stacks cascade.
CRITICAL alerts, CISA / NCSC / BSI / ANSSI emit joint advisories on cross-border ICS threats; integrate into the detection pipeline.
Sector-ISACs, E-ISAC (electricity), FS-ISAC (financial), H-ISAC (health), DNG-ISAC (downstream natural gas), Auto-ISAC, Aviation-ISAC, etc. share threat intel within their sector.