Critical Infrastructure Cybersecurity Compliance: Frameworks and Threat Modeling
The Role of Threat Modeling in Critical Infrastructure Compliance
Operators of critical infrastructure face heightened expectations to protect national interests, maintain service continuity, and withstand cyberattacks. Regulations worldwide emphasize threat-informed decision-making, continuous risk assessment, and secure-by-design practices, all of which align with threat modeling.
ThreatModeler empowers critical infrastructure providers to embed threat modeling into their cybersecurity and compliance programs. Our platform supports 180+ global frameworks, helping organizations identify attack vectors, prioritize risks, validate controls, and maintain audit readiness at scale.
The summaries below highlight major critical infrastructure regulations, showing where threat modeling is required or aligned, and how ThreatModeler enables compliance through continuous, architecture-aware risk analysis.
Geography: United States
NIST Cybersecurity Framework (CSF) 2.0
Description: Voluntary framework for improving critical infrastructure cybersecurity across sectors.
Specifics: Organized around Identify, Protect, Detect, Respond, and Recover functions.
Threat Modeling Alignment: The ‘Identify’ function encourages organizations to understand their business context, threats, and risks, directly supporting threat modeling.
As specified in the framework:
“Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.”
CISA Cross-Sector Cybersecurity Performance Goals (CPGs)
Description: Recommended baseline cybersecurity practices for critical infrastructure sectors in coordination with NIST CSF.
Specifics: Includes asset management, vulnerability mitigation, detection, and incident response.
Threat Modeling Alignment: While not using the term ‘threat modeling,’ these goals support it by emphasizing understanding risks and threat actors.
As specified in this guidance:
“Organizations should identify and manage cybersecurity risks to systems, assets, data, and capabilities by using threat-informed risk assessments to inform prioritized action.”
Geography: European Union
NIS2 Directive (2023)
Description: Directive aimed at improving the resilience of critical infrastructure and essential services in the EU.
Specifics: Expands the scope and depth of cybersecurity risk management obligations for operators of essential services.
Threat Modeling Alignment: Supports threat modeling through requirements for threat intelligence, risk assessment, and vulnerability handling.
As specified in the directive:
“Entities shall take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems… including measures that ensure the prevention or minimization of the impact of incidents.”
Geography: United Kingdom
UK NIS Regulations (2018)
Description: Transposes EU NIS into UK law and mandates cyber resilience in essential services like water, energy, and transport.
Specifics: Applies to operators of essential services and digital service providers.
Threat Modeling Alignment: Requires implementing proportionate technical and organizational measures, emphasizing risk analysis.
As specified in the regulation:
“The operator must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of network and information systems which that operator uses.”
Geography: Asia-Pacific
Critical Information Infrastructure Protection Policy – Singapore
Description: Cyber Security Agency (CSA) Regulation for securing Singapore’s designated critical information infrastructure.
Specifics: Applies to sectors like energy, water, healthcare, transport, and government.
Threat Modeling Alignment: This aligns strongly with threat modeling through requirements for security-by-design, risk evaluation, and threat intelligence integration.
As specified in the regulation:
“Owners of critical information infrastructure must conduct regular cybersecurity risk assessments and implement technical measures that consider threats, vulnerabilities, and potential impacts on services critical to national interests.”
Geography: Latin America
National Cybersecurity Strategy – Mexico
Description: Policy document defining Mexico’s approach to critical infrastructure protection and cross-sector cyber resilience.
Specifics: Emphasizes multi-sector cooperation, detection, and coordinated response.
Threat Modeling Alignment: Encourages threat modeling principles by emphasizing identifying vulnerabilities and building risk-based defenses.
As specified in the strategy:
“Promote the development of mechanisms that allow for the identification of vulnerabilities and threats in critical infrastructure and the creation of plans for prevention, detection, and coordinated response to cybersecurity incidents.”