Solar power system inverter error code that indicates that the voltage on the grid is too high. The security of power grids even if they have been attacked from cyberspace by hostile actors is not even mentioned in CISA’s plan to protect critical “Physical” infrastructure. (photo by the author)
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new international strategic plan for “the protection and security of our cyber and physical infrastructure.[1]” It is called an “international” plan because CISA recognises that “In today’s interdependent and interconnected world, the protection and security of our cyber and physical infrastructure requires the concerted efforts of public and private partners around the globe.[2]” The plan goes on to describe a variety of interagency and international initiatives that will promote collaboration not only in information sharing about threats but also in activities at the operational level.[3] It also makes a point of saying that it is in alignment with previously issued USG documents such as the National Cybersecurity Strategy. Initially for me a warning flag was raised[4]. What follows are my initial observations of the plan.
The document starts out with an ambiguity. It calls for the protection of cyber and physical infrastructure. The authors may assume the reader will understand what is meant by “cyber” and “physical infrastrcuture” but this writer does not. Neither term is defined to help the reader. If a a bridge or railroad is considered to be physical infrastrcuture I have no problem with that until I think that bridges and railroads (especially railroads) have a cyber dimension to them. If power grids and pipelines are meant, then the cyber component is a integral part of them for they can not operate without the technologies used to monitor and control the physical processes taking place. It is quite telling that power grids are not even mentioned in the sentences where critical infrastructure is listed. For example on page 6 the plan notes the “full range of critical infrastructure sectors: pipelines, telecommunications, and essential supply chains, among others.[5]” Well if the criteria for sectors is chosen according to the level of international links and dependencies to US infrastructure, then how could the writers forget about the US power grid in the northeast which is linked with the power grid of Canada? A grid that has experienced some famous outages in 1965[6] and 2003[7]. The lack of a mention of power grids as a sector requiring protection sounds strange since many should still remember the December 2015 and December 2016 blackouts on parts of Ukraine’s power grid done by hostile cyber actors in the context of Russia’s aggression against Ukraine. Then there was the failure of a cross-bar coupler at a single substation which caused the separation of the European power grid in 2021[8]. Please note the last event was about a hardware failure. Will get back to that later.
I tried to figure out what CISA considers to be cyber infrastructure and found another ambiguity when I read the sentence: “Malicious cyber actors continue to exploit vulnerabilities across these sectors to target critical infrastructure through ransomware and other cyberattacks.” It would be useful to know what CISA considers to be “other cyber-attacks.” In the “other” category I assume they include APT actors that are supported by states and seek to deny or degrade view and control of a physical process taking place on a power grid, petrochemical plant or water facility. I mentioned cyber attacks on power grids in Ukraine, but I wonder if the authors of this document are aware of the Triton/Trisis and other attacks on control systems that have been attributed to state actors. Ransomware of course is serious and should be addressed in the plan, but these attacks take place in the IT side of the opearation. Ransomware to my knowledge has yet to be planted on a plc placed at a pipeline controlling a valve or a protection device protecting the transformer at a substation. The writers of this document should keep in mind that the technologies used to monitor and control processes governed by the laws of physics and chemistry in physical infrastructure (transportation, energy, chemical, water) all operatate in the realm of “cyber infrastrcuture”. They should make that point clearer.
Ok, one might say, this is a high-level document and not meant to be detailed. So what if power grids and APTs are not explicitly stated. Relax, it is all included between the lines and move on.
So I read on and learned about the ways the plan will be implemented. Information sharing about cyber and infrastructure security is a good idea but is nothing new to anyone working in cyber policy in the last 20 years. It has been tried again and again and with some limited success. One stumbling block is fear. Fear of losing reputation that could harm competetiveness. What is new is a change toward a more militaristic tone. In additional to collaboration on information sharing there is the new proposal for “operational collaboration”. The word operaitonal is used 11 times in the document in contexts that include “joint operational activities” to develop a capacity to respond to incidents[9].
The invitation to the internatonal collaboration party is restricted to those few that align themselves with US policy interests. So those nations on the “list of usual suspects” (for ex. Russia, China, Iran, N. Korea) will not be participating. This is clearly stated several times where partners are discussed (the word “partners” is used 67 times). For example, one section heading is titled: “Strengthen international partnerships that promote U.S. critical infrastructure priorities and interests abroad[10]” This pehaps is in recognition of certain realities but it is also a sign that blocs (barricades) are forming and that preparations for more intesive forms of conflict with these nations are underway. I suspect that they think the expected conflict will be more open and more below the belt, hence the concern about protecting interdependent and shared physical infrastructure they have in common with partners or allies.
I also tried to figure out what the authors of this document were really protecting regardless of all the language about physcial infrastructure. I read on and said to my self, “don’t, please don’t”, but alas it seems that protecting software is what they have in mind. That is why ransomware is mentioned and why among the measures proposed are “adoption of software bills of materials” and “global commitment to safe and secure software development and Deployment[11].” The term “secure by design” is used but I am not convinced that they have IACS or control systems in mind. Work is needed in desgining a system where if a ransomware attack takes place on the IT side of the enterprise, they do not have to out of caution shut down the physical process side that was unaffected. As an example, I have in mind the Colonial Pipeline ransomare case[12].
I thought that I had read enough to start forming conclusions, but I thought ok, take a look at the defintion section which is called “Terms of Reference” on page 13 as part of an appendix, not part of the introduction where key terms are usually defined[13]. CISA could have at least called up their colleagues at NIST where they could have found some definitions that were more relevant for their document. Athough the importance of applying standards (mentioned 20 times) is part of the plan. No standard is given as an example. Instead, a criteria is given that the standard must be in line with US policy. Why not in line with the interests of those who operate critical infrastructure? I quote:
“In coordination with government, industry, and academic partners, increase the development and publication of technical standards for adoption by international standards and policy setting bodies that advance the protection, interoperability, and resilience of U.S. critical infrastructure” [14].
Not a sign that the authors understand the purpose of a standard. To help fill the gap between IT and physical infrastructure the authors could have called someone at a standards organisation like the International Society of Automation and have learned about the ISA/IEC Industrial Automation and Control System (IACS) standard 62443-1-1[15]. There they could have found some useful definitions while learning at the same time, that protecting the software will not be enough to meet the goals of their “International strategic plan”.
The authors note that this plan is the first since the creation of CISA in 2018. I beg to point out that before that happened there was a US-CERT and US-ICS-CERT which was combined to form CISA. I have long criticised this merging as a bad move for in CISA pronouncements such as this one the ICS-CERT side of the house seems not to have been consulted in the preparion of this document. That is if any engineers with knowledge of how C.I. runs are still working there.
Sorry to be so critical but I only point out one case where IT bias and emphasis on software over hardware is found. You can read my comments about the EU’s CRA and NIS2 programs as blogs on the web[16]. The problem of working with lousy answers to the questions of what must be protected and from what threats is Trans Atlantic in nature and not limited to just one continent.
[1] https://www.cisa.gov/2025-2026-cisa-international-strategic-plan
[2] Ibid., p.3
[3] Ibid., p.4
[4] Read my earlier critique at http://scadamag.infracritical.com/index.php/2023/03/15/impressions-of-the-u-s-national-cybersecurity-strategy-of-2023/
[5] Ibid. p.6
[6] https://www.history.com/this-day-in-history/the-great-northeast-blackout
[7] https://www.ieso.ca/corporate-ieso/media/also-of-interest/blackout-2003
[8] https://www.entsoe.eu/news/2021/07/15/final-report-on-the-separation-of-the-continental-europe-power-system-on-8-january-2021/
[9] https://www.cisa.gov/2025-2026-cisa-international-strategic-plan p. 7.
[10] Ibid., p. 9.
[11] Ibid., p. 9.
[12] https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/#google_vignette
[13] Ibid., p. 13.
[14] Ibid., p. 8
[15] https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards
[16] http://scadamag.infracritical.com/index.php/2023/09/19/the-european-union-moves-to-regulate-its-digital-economy-by-proposing-cybersecurity-requirements-is-the-cra-a-bridge-too-far/
