Critical infrastructure, orcritical national infrastructure (CNI) in the UK, describesinfrastructure considered essential bygovernments for the functioning of a society and economy and deserving of special protection fornational security.[1] Critical infrastructure has traditionally been viewed as under the scope of government due to its strategic importance, yet there is an observable trend towards its privatization, raising discussions about how theprivate sector can contribute to these essential services.[2] It is important to distinct between critical maritime infrastructure (CMI) and critical terrestrial infrastructure (CTI) because CMI reflects the maritime dimension of critical infrastructure while CRI reflects the land-based dimension[3].
Critical infrastructure systems share several common characteristics that distinguish them from non-critical assets. These systems provide essential services whose disruption can result in significant impacts to public safety, economic stability, national security, and societal well-being.[4]
Critical infrastructure is typically characterized by high levels of interdependency across sectors, meaning that failures in one system can trigger cascading effects in others. For example, disruptions to electrical power systems can impair telecommunications, healthcare delivery, water treatment, and financial services simultaneously.[5]
Many critical infrastructure assets are owned and operated by private entities, while regulatory oversight and coordination are often managed by government agencies. This structure necessitates close public–private collaboration to ensure effective risk management and continuity of essential services.[6]
Critical infrastructure sectors are highly interconnected through physical, cyber, geographic, and logical dependencies. As a result, disruptions can propagate across multiple sectors, amplifying the overall impact of an incident. These cascading failures have been observed during large-scale power outages, natural disasters, and cyber incidents affecting industrial control systems.[7]
Understanding and managing these interdependencies is a central component of infrastructure risk assessment and resilience planning. Researchers and policymakers emphasize that failure to account for cross-sector dependencies can lead to underestimation of risk and ineffective mitigation strategies.[8]
Modern critical infrastructure protection strategies increasingly emphasize resilience in addition to prevention. Resilience refers to the ability of systems to withstand disruptions, continue delivering essential functions, and recover rapidly following adverse events. This approach recognizes that not all threats can be fully prevented, particularly in complex and highly connected environments.[9]
Resilience planning typically includes redundancy, system diversity, incident preparedness, coordinated response planning, and recovery mechanisms. These measures are designed to reduce both the likelihood and severity of service disruptions across critical sectors.
Additional discussion of infrastructure resilience, interdependencies, and incident management approaches is provided in practitioner-focused literature on critical infrastructure operations and response planning.[10]
The threat landscape affecting critical infrastructure has expanded with increased digitalization and connectivity. Cyber attacks targeting operational technology and industrial control systems have become more frequent, with incidents ranging from ransomware to state-sponsored intrusions.[11]
Geopolitical tensions, hybrid warfare tactics, and climate-related hazards have further heightened concern regarding infrastructure vulnerability. In response, many governments have introduced regulatory requirements focused on risk assessment, incident reporting, and resilience enhancement for critical infrastructure operators.[12]
Effective protection of critical infrastructure relies on coordinated governance models that integrate government authorities, private operators, and sector-specific organizations. Information sharing initiatives, such as Information Sharing and Analysis Centers (ISACs), support collaboration by enabling the exchange of threat intelligence and best practices among stakeholders.[13]
National frameworks and sector-specific strategies are commonly used to align risk management, preparedness, and response activities across jurisdictions and industries. These frameworks reflect the recognition that critical infrastructure security is both a technical and organizational challenge.
Energy & Utilities: Electricity providers; off-shore/on-shore oil & gas; coal supplies, natural gas providers; home fuel oil; gas station supplies; alternative energy suppliers (wind, solar, other)
Information and Communication Technology: Broadcast Media; telecommunication providers (landlines, cell phones, internet, wifi); Postal services;
Finance: Banking services, government finance/aid departments; taxation
Health: Public health & wellness programs, hospital/clinic facilities; blood & blood products
European Programme for Critical Infrastructure Protection (EPCIP) refers to the doctrine or specific programs created as a result of theEuropean Commission's directive EU COM(2006) 786 which designates European critical infrastructure that, in case of fault, incident, or attack, could impact both the country where it is hosted and at least one otherEuropean Member State. Member states are obliged to adopt the 2006 directive into their national statutes.
It has proposed a list of European critical infrastructures based upon inputs by its member states.Each designated European Critical Infrastructures (ECI) will have to have an Operator Security Plan (OSP) covering the identification of important assets, a risk analysis based on major threat scenarios and the vulnerability of each asset, and the identification, selection and prioritisation of counter-measures and procedures.
In Singapore, critical infrastructures are mandated under the Protected Areas and Protected Places Act.[17] In 2017, the Infrastructure Protection Act was passed in Parliament, which provides for the protection of certain areas, places and other premises in Singapore against security risks.[18] It came into force in 2018.[19][20]
In the UK, theNational Protective Security Authority (NPSA) provides information, personnel and physical security advice to the businesses and organizations which make up the UK's national infrastructure, helping to reduce its vulnerability to terrorism and other threats.
It can call on resources from other government departments and agencies, includingMI5, theNational Cyber Security Centre (NCSC) and other government departments responsible for national infrastructure sectors.
The U.S. has had a wide-reachingcritical infrastructure protection program in place since 1996. ItsPatriot Act of 2001 defined critical infrastructure as those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
In 2014 theNIST Cybersecurity Framework was published, and quickly became a popular set of guidelines, despite the significant costs of full compliance.[21]
These have identified a number of critical infrastructures and responsible agencies:
TheNational Infrastructure Protection Plan (NIPP) defines critical infrastructure sector in the US. Presidential Policy Directive 21 (PPD-21),[22] issued in February 2013 entitled Critical Infrastructure Security and Resilience mandated an update to the NIPP. This revision of the plan established the following 16 critical infrastructure sectors:
Chemical
Commercial facilities
Communications
Critical manufacturing
Dams
Defense industrial base
Emergency services
Energy
Financial services
Food and agriculture
Government facilities
Healthcare and public health
Information technology
Nuclear reactors, materials, and waste
Transportation systems
Water and wastewater systems
National Monuments and Icons along with the postal and shipping sector were removed in 2013 update to the NIPP. The 2013 version of the NIPP has faced criticism for lacking viable risk measures.[23][24] The plan assigns the following agencies sector-specific coordination responsibilities:
Several U.S. states have passed "critical infrastructure" bills, promoted by theAmerican Legislative Exchange Council (ALEC), to criminalize protests against thefossil fuel industry.[25] In May 2017, Oklahoma passed legislation which createdfelony penalties fortrespassing on land considered critical infrastructure, including oil and gaspipelines, or conspiring to do so; ALEC introduced a version of the bill as amodel act and encouraged other states to adopt it.[26] In June 2020, West Virginia passed the Critical Infrastructure Protection Act, which createdfelony penalties for protests against oil and gas facilities.[27]
Critical infrastructure (CI) such as highways, railways, electric power networks, dams, port facilities, major gas pipelines or oil refineries are exposed to multiple natural and human-induced hazards and stressors, includingearthquakes,landslides,floods,tsunami,wildfires,climate change effects orexplosions. These stressors and abrupt events can cause failures and losses, and hence, can interrupt essential services for the society and the economy.[28] Therefore, CI owners and operators need to identify and quantify the risks posed by the CIs due to different stressors, in order to define mitigation strategies[29] and improve theresilience of the CIs.[30][31] Stress tests are advanced and standardised tools for hazard andrisk assessment of CIs, that include both low-probability high-consequence (LP-HC) events and so-called extreme orrare events, as well as the systematic application of these new tools to classes of CI.
Stress testing is the process of assessing the ability of a CI to maintain a certain level of functionality under unfavourable conditions, while stress tests consider LP-HC events, which are not always accounted for in the design and risk assessment procedures, commonly adopted by public authorities or industrial stakeholders. A multilevel stress test methodology for CI has been developed in the framework of the European research project STREST,[32] consisting of four phases:[33]
Phase 1:Preassessment, during which the data available on the CI (risk context) and on the phenomena of interest (hazard context) are collected. The goal and objectives, the time frame, the stress test level and the total costs of the stress test are defined.
Phase 2:Assessment, during which the stress test at the component and the system scope is performed, including fragility[34] and risk[35] analysis of the CIs for the stressors defined in Phase 1. The stress test can result in three outcomes: Pass, Partly Pass and Fail, based on the comparison of the quantified risks to acceptable risk exposure levels and a penalty system.
Phase 3:Decision, during which the results of the stress test are analyzed according to the goal and objectives defined in Phase 1. Critical events (events that most likely cause the exceedance of a given level of loss) and risk mitigation strategies are identified.
Phase 4:Report, during which the stress test outcome and risk mitigation guidelines based on the findings established in Phase 3 are formulated and presented to the stakeholders.
This stress-testing methodology has been demonstrated to six CIs in Europe at component and system level:[36] an oil refinery and petrochemical plant in Milazzo, Italy; a conceptual alpine earth-fill dam in Switzerland; the Baku–Tbilisi–Ceyhan pipeline in Turkey; part of the Gasunie national gas storage and distribution network in the Netherlands; the port infrastructure of Thessaloniki, Greece; and an industrial district in the region of Tuscany, Italy. The outcome of the stress testing included the definition of critical components and events and risk mitigation strategies, which are formulated and reported to stakeholders.
Critical maritime infrastructure (CMI) refers to maritime-based systems within sectors whose disruption would have serious economic, security, environmental or societal consequences which includes shipping, energy, communications, fishing and biodiversity (nearly 99% of transoceanic digital communications are carried byundersea fiber-optic cables which makes the global submarine cable network critical for modern global infrastructure).[37][38] CMI is defined through political and strategic assessments rather than technical criteria alone and varies across states and regions. Its transnational character with infrastructure spanning multiple maritime jurisdictions complicates governance and protection while recent incidents involvingsubsea cables andpipelines have underscored CMI’s vulnerability to hybrid threats and its growing geopolitical significance.[39]
Maritime infrastructure is governed by a combination of international law, sector-specific regimes and national legislation that operates within a fragmented legal environment defined by maritime zones rather than unified territorial sovereignty.[40] The core legal framework is theUnited Nations Convention on the Law of the Sea (UNCLOS), which divides ocean space into zones with different rights and obligations that shapes how maritime infrastructure is regulated and operated while balancing coastal state authority with freedoms of navigation and communication.[41][42] Since the mid-twentieth century, states have expanded regulatory authority through functional territorialization without establishing full sovereignty.[43] In parallel, maritime security concerns have introduced additional governance layers addressing crime, environmental harm and infrastructure protection that has resulted in a hybrid regulatory order combining legal rules, security practices and technical management.[44]
International governance of maritime infrastructure operates through a decentralized system shaped by historical power shifts and institutional plurality.[45] Rather than a unified global regime, governance has developed as an issue-specific system in which authority emerges through negotiations, norms and interaction among states, international organizations and transnational actors.[46] Since the implementation of UNCLOS, governance has been marked by institutional overlap and regime complexity which enables flexibility but also creates coordination challenges and jurisdictional ambiguity.[47][48][49] These arrangements reflect uneven power relations and are increasingly strained by technological change which leads to reliance on informal coordination and adaptive practices rather than comprehensive treaty reform.[50][51]
Maritime infrastructure is distributed across fluid ocean spaces shaped by currents, mobility and ecological processes which make fixed regional boundaries difficult to apply. Open-ocean areas demonstrate how infrastructure and management must adapt to shifting spatial conditions.[52] Ocean basins have historically structured maritime connectivity by producing uneven patterns of ports and shipping routes that reflect long-term commercial, biological and cultural exchange rather than national borders.[53] More recently, infrastructure has clustered withinglobal ocean regions formed through political, economic and security practices.[54] Institutional regionalization (including theUNEP Regional Seas Programme) further influences infrastructure development, while geographic scholarship emphasizes the three-dimensional nature of maritime regions spanning surface waters, the water column and the seabed.[55][56]
Since November 2023,attacks on commercial shipping by the Iran-aligned Houthi movement in Yemen have disrupted maritime traffic in theRed Sea that functions as a key corridor by linking theIndian Ocean and theMediterranean Sea viathe Suez Canal.[57][58] The targeting of commercial vessels has increased security risks and instability along one of the world’s most important maritime chokepoints. These disruptions have led to widespread rerouting of vessels around theCape of Good Hope which extends voyage times and raises transportation costs with measurable impacts on global supply chains, commodity prices and shipping markets.[59][60] The rerouting has also redistributed environmental pressures by reducing ship-related air pollution in the Red Sea while increasing emissions along alternative routes off southern Africa.[61] The security situation in the Red Sea has further intensified regional and global geopolitical tensions influenced by the intersection of rival interests amongMiddle Eastern states and broader great-power competition which has reinforced international concerns over the protection of critical maritime infrastructure in the region.[62]
The Economic Importance of CMI for the Blue Economy
Maritime infrastructure supports theblue economy which frames the ocean as a key driver of economic growth through activities such as shipping, fisheries, offshore energy, aquaculture and seabed resource extraction. Ports, shipping networks, offshore platforms, and subsea cables enable global trade, energy supply and access to marine resources which makes maritime infrastructure central to national economies and global economic integration.[63][64] While proponents emphasize opportunities for growth, employment and innovation, critical scholarship highlights environmental risks and social tensions which includes resource enclosure and the unequal distribution of benefits associated with large-scale infrastructure development.[65][66]
Environmental Protection and CMI in Marine Protected Areas
Marine protected areas (MPAs) are a key tool for marine environmental protection and increasingly shape the governance of maritime infrastructure. By restricting or regulating activities of infrastructure such as shipping, offshore energy development, fisheries and seabed installations, MPAs influence where and how infrastructure can be developed. The global expansion of large MPAs reflects growing international conservation commitments even though their design and implementation vary significantly.[67] Research highlights tensions between conservation goals and economic or infrastructural interests because MPAs are often established in areas of low economic use that have limiting conflict with infrastructure development with potentially low reducing ecological effectiveness.[68] At the same time,Marine spatial planning (MSP) has emerged as a key mechanism for managing interactions between conservation and infrastructure while also reflecting power imbalances and strategic considerations that includes security and geopolitical interests.[69][70]
Maritime infrastructure faces security threats from geopolitical competition,grey-zone activities and transnational organized crime, and these risks increasingly affect ports, shipping routes, offshore energy installations and subsea cables which are vulnerable to sabotage and coercive practices below the threshold of armed conflict.[71] Blue crime (includes piracy, smuggling, trafficking, illegal fishing, and pollution) further undermines maritime infrastructure by exploiting jurisdictional complexity and limited enforcement at sea, and international responses led by theUnited Nations and regional organizations rely mainly on coordination and capacity-building but remain fragmented across regions and issue areas.[71][72]
Civil society, scientific institutions andNon-governmental organizations (NGOs) play a significant role in maritime infrastructure governance by producing expertise, shaping policy agendas and monitoring activities at sea. Scientific networks contribute data and assessments that inform international negotiations and regulatory frameworks in particular areas such as marine biodiversity, environmental protection and infrastructure planning beyond national jurisdiction.[73][74] NGOs and activist groups influence governance through advocacy, surveillance and digital monitoring tools that increase transparency around shipping, fishing and infrastructure use while also raising concerns about power, visibility and control.[75][76] Their involvement operates alongside state authority and can both challenge and reinforce existing governance arrangements in complex maritime spaces .[77][78]
^Paasi, Anssi; Harrison, John; Jones, Martin, eds. (2020).Handbook on the geographies of regions and territories. Research handbooks in geography. Cheltenham, UK Northhampton, MA, USA: Edward Elgar Publishing.ISBN978-1-78536-580-5.
