Target Rich, Cyber Poor: Strengthening Our Nation’s Critical Infrastructure Sectors

Our nation’s critical infrastructure—the services Americans rely on every day—is under continuous threat by nation-state cyber adversaries and cybercriminal organizations around the globe. Over the last several years, we’ve witnessed increasingly frequent and complex attacks against small and medium sized businesses, K-12 schools, water utilities, and healthcare organizations, including hospitals, which were in the past considered “off-limits.” 

Many small and medium sized organizations, think that they’re too small to be targeted by cyber criminals. This is simply not true. In reality, small and medium sized businesses have valuable information that cyber criminals seek and often have fewer resources dedicated to cybersecurity. To counter our adversaries, CISA has been focused on supporting small businesses by sharing key cybersecurity and physical resources and tips—many of which can be found on our Small and Medium Businesses webpage–so small businesses can protect their networks, operations, data, and employees. 

• CISA provides a list of free cybersecurity tools and services provided by private and public sector organizations across the cyber community targeted at small and medium sized organizations.
• CISA created StopRansomware.gov to serve as a one-stop-shop of free resources for organizations of any size to protect themselves from becoming victims of ransomware. 
• CISA’s Power of Hello resources can help business owners and their employees identify and effectively respond to suspicious behavior. 

Small businesses aren’t our adversaries’ only focus—our nation’s critical infrastructure is a priority target as well. Despite efforts by sectors including Water and Wastewater Systems, the Education Services and Facilities Subsector (K-12 Community), and the Healthcare and Public Health (HPH) Sector to invest in additional resources for cybersecurity, they remain at elevated risk from adversaries who see them as highly profitable targets, generally “target-rich, cyber-poor.” Over the past two years, CISA has been working closely with industry partners in these sectors, along with their Sector Risk Management Agencies—Environmental Protection Agency for water, Department of Education for K-12, and the Department of Health and Human Services for hospitals—to help them understand the threats they face and increase their cyber defenses and resilience. 

These partnership engagements include providing risk assessments and risk mitigation guidance; coordinating cross-sector mitigation planning; sharing information and tools to strengthen the security of critical infrastructure; and conducting exercises and simulations of cybersecurity and all hazard incidents to build preparedness and resilience.  

In 2023, these efforts involved nearly 6,700 stakeholder engagements with public and private sector participants, including almost 2,700 engagements with the healthcare community; more than 1,700 with the water sector; and more than 2,200 with the K-12 community. We ramped up this work in 2024, completing over 9,400 engagements, including 3,900 with healthcare, 3,400 with water entities, and more than 2,000 with schools.  

We also published several key products focused on these sectors, bringing together existing resources to ensure easy access. These include: 

• Cybersecurity for K-12 Education webpage 
  • Protecting Our Future: Partnering to Safeguard K-12 Organizations from Cybersecurity Threats report and toolkit
• Healthcare and Public Health Cybersecurity webpage, Joint Healthcare and Public Health (HPH) Sector Cybersecurity Toolkit with HHS and the HPH Sector Coordinating Council
  • HPH Sector CISA Tabletop Exercise Package (CTEP)
• Water and Wastewater Cybersecurity webpage
  • Water/Wastewater Systems CTEP
  • Joint cyber hygiene fact sheet for water
  • Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems | CISA

In addition to these no-cost resources, we manage grant programs to help our State, Local, Tribal, and Territorial (SLTT) partners build cybersecurity capacity. The Infrastructure Investment and Jobs Act of 2021 established the first-of-its-kind State and Local Cybersecurity Grant Program to support SLTT governments across the country and appropriated $1 billion for this program. The program enables access to funding to address cyber threats and vulnerabilities, identify and evaluate needed capabilities, implement measures to mitigate the threats, and develop a modern cyber workforce across local communities. We support these efforts with a suite of available resources, including state cybersecurity coordinators and cybersecurity advisors located in communities across the nation. 

While these programs are making an impact in communities across the nation to reduce the risk of cyber threats, more remains to be done to protect our most vulnerable and essential sectors from nation state and criminal threats. This requires the participation and support of all organizations, large and small, urban and rural. As I’ve said for years, everybody has a role to play in cybersecurity and we need everybody to play their role. If you haven’t already, please check out all of the free resources available to you and engage with your local CISA partners located in your towns and cities. With support from our public and private sector partners, Congress, and our teammates located throughout the country, CISA is here to help.