It’s not surprising that we have to protect our critical infrastructure from cyberattacks. What might be a surprise is what all constitutes critical infrastructure.

There are actually 16 sectors where the United States government has set up critical infrastructure cybersecurity. “These ‘sectors’ are areas in which both public and private organizations provide vital ‘assets, services, systems, and networks’ to the citizens of the United States.”

When you think of critical infrastructure, the first things that probably comes to mind are things like utilities. Some of the more obvious ones are energy services, nuclear reactors, water and wastewater systems, the chemical sector, transportation systems and communications. But critical infrastructure is more than just utilities.

There are less obvious ones that also constitute critical infrastructure. These include the financial services sector, food and agriculture, healthcare, emergency services, transportation and the defense industrial base.

When viewed in this way, a large percentage of the economy comprises critical infrastructure. Consequently, critical infrastructure presents a very large attack surface. That’s just one of the reasons why it’s so challenging to protect critical infrastructure from cyberattacks.

Unique Security Challenges of Critical Infrastructure

It’s everywhere and it’s not always protected very well. Those are the big challenges when it comes to defending critical infrastructure from cyberattacks.

To be sure, much of the critical infrastructure in place has been there so long, it was there before cyberattacks were a major concern. As a result, not many of these legacy services are natively prepared to defend against cyberattacks.

None of this is news, and there is a concerted effort to upgrade critical infrastructure as fast as possible. But the sheer amount of critical infrastructure precludes it from happening quickly.

So, what are some options in the meantime?

A Scalable Solution

Whatever the solution to address the “interim” vulnerability of critical infrastructure, the one thing we know for sure is that it must be scalable. Given the size of the attack surface, bespoke or one-off solutions will take too long to implement. It needs to be something that is quickly and easily implemented and highly scalable.

We can get some clue on how to do this from the North American Electric Reliability Corporation (NERC), who is responsible for the security of the bulk power systems in the US. NERC has come up with a framework for protecting its critical infrastructure. One of the standards of the framework, CIP-007 System Security Management, talks about the “use of malicious software prevention tools to detect and prevent malware on all cyber assets within the electronic security perimeter.”

Use software to prevent malware. That sounds an awful lot like threat modeling – because it is. Threat modeling identifies threats and recommends mitigations to prevent malware (and other threats).

Threat modeling fits NERCs’ framework for system security management. And it satisfies the other two requirements: it is easily implemented and highly scalable. Until all critical infrastructure sectors can deploy the necessary upgrades to thwart cyberattacks, a good solution is to implement sector-wide threat modeling.

One way to make threat modeling even easier to implement and scale is to take advantage of existing threat modeling tools. And if you’re not sure which ones, we suggest you begin with ThreatModeler.

ThreatModeler is a highly-scalable and collaborative threat modeling platform that comes as close to one-click threat modeling as there is. The perfect solution for critical infrastructure.

For questions or to learn more about ThreatModeler™ please contact us.


ThreatModeler revolutionizes threat modeling during the design phase by automatically analyzing potential attack surfaces. Harness our patented functionalities to make critical architectural decisions and fortify your security posture.

Learn more >


Threat modeling remains essential even after deploying workloads, given the constantly evolving landscape of cloud development and digital transformation. CloudModeler not only connects to your live cloud environment but also accurately represents the current state, enabling precise modeling of your future state

Learn more >


DevOps Engineers can reclaim a full (security-driven) sprint with IAC-Assist, which streamlines the implementation of vital security policies by automatically generating threat models through its intuitive designer.

Learn more >