Shields Ready Critical Infrastructure Initiative Addresses Inevitable Cyberattack

A cyberattack is coming, disasters are certain, and the US government wants critical infrastructure firms ready to handle any disruption. Welcome to Shields Ready.

The US government has issued a series of prescriptions for preparing critical infrastructure operators for disasters, physical attacks, and cyberattacks, with an emphasis on the ability to recover from disruptions in the future.
The initiative, dubbed Shields Ready, aims to convince 16 identified critical infrastructure sectors to invest in hardening their systems and services against any disruption, no matter the source. The effort, spearheaded by both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA), assumes that attacks and disasters will happen and calls on critical infrastructure operators to prepare to keep services running.
The interconnectedness of the 16 critical infrastructure sectors, and the supply chain on which they rely, means preparedness is critical, said Jen Easterly, director of CISA.
Our nations critical infrastructure entities — from schools to hospitals to water facilities — must have the tools and resources to respond to and recover from disruption, she
said in a statement
. By taking steps today to prepare for incidents, critical infrastructure, communities and individuals can be better prepared to recover from the impact of the threats of tomorrow, and into the future.
The dangers to critical infrastructure have increased in recent years, with disruptions caused by severe disasters — such as the wildfires in California and the coronavirus pandemic — and cyberattacks. In the past five years, for example, pharmaceutical firm Merck
suffered a major outage
because of the NotPetya cyberattack in 2017, while this year competitor Pfizer
suffered a tornado strike
on a major warehouse that caused disruptions to the supply of certain drugs. And famously, in May 2021, US pipeline operator Colonial Pipeline
suffered a ransomware attack
, shutting down its services for a week, which led to gas shortages throughout the southeast United States.
A previous campaign, known as Shields Up, focused on convincing critical infrastructure organizations to take defensive actions in reaction to specific threat intelligence. Shields Ready is all about preparing for the worst across the board, says Michael Hamilton, co-founder and CISO of Critical Insight, a cybersecurity consultancy.
The hidden message here is, its coming, and looking around the world, its not that hard to predict, he says, pointing to regular FBI and CISA warnings to industrial control and critical infrastructure providers. Its not hard to put two and two together and say, you know the threat level has gone up for infrastructure disruption.
A problem for the initiative is that many of the current recommendations are voluntary and informational. Since November has been designated Critical Infrastructure Security and Resilience Month, CISA
published a toolkit
for critical infrastructure providers, a 15-page document covering specific threats, security challenges, and self-assessment exercises. The agency also
published
the Infrastructure Resilience Planning Framework (IRPF) and guides on how to develop a resilient supply chain and how to respond to a cyberattack.
Still, the effort lacks regulatory teeth, says Tom Guarente, vice president of government affairs at Armis, an operational technology (OT) security firm.
What it appears to really be about is building resilience in terms of starting with situational awareness, talking about the importance of sharing information between public and private sector entities, he says. They say theres a toolkit, and but the toolkit appears to be made up mostly of guidelines — you know, PDF documents. So the short answer is, I dont know what will come out of the Shields Ready campaign.
Yet coming up with general guidelines under the umbrella of Shields Ready for all 16 critical infrastructure sectors is likely impossible, so it is unsurprising that the initial effort lacks details, says Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, a provider of cybersecurity for OT networks. Each critical infrastructure sector has a
Sector Risk Management Agency
— typically the Department of Homeland Security, but in some cases the Department of Energy, Defense, Health and Human Services, or Transportation is the designated SRMA — that will make sector-specific guidelines and requirements.
I think the government is more in an audit mode today, she says. It’s important to remember that critical infrastructure is not monolithic, there’s no one-size-fits-all security plan, program, or set of controls that benefits all 16 sectors the same.
Those efforts, for the most part, appear to take a light touch toward getting industry executives on board. Because security continues to be a cost center — the tax of doing business — companies naturally want to minimize those expenditures, which is why punitive action will likely be necessary to get many of the recommendations implemented, says Critical Insights Hamilton.
Holding executives liable for their companys performance during a disaster or a cyberattack — such as
the charges against the CISO of SolarWinds
— has already been a rude awakening for the industry, he says.
Having briefed senators, generals, and governors, Ive found that you can talk about scary Russians, supply chains, buffer overflows, and SQL injection all you want, and youre just gonna get eye-rolling, Hamilton says. But as soon as you say executive negligence, you have an audience. Thats exactly what the government is doing — they are going to hold executive leadership as negligent and thats getting everybodys attention.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Shields Ready Critical Infrastructure Initiative Addresses Inevitable Cyberattack