Protecting California Critical Infrastructure from Cyber Threats
California operates the world's fifth-largest economy by GDP, and the systems that sustain it — power grids, water treatment facilities, financial networks, transportation corridors, and hospital networks — are increasingly exposed to targeted cyber intrusions. Federal and state frameworks both impose obligations on infrastructure operators, yet the intersection of those requirements with California-specific statutes creates a compliance landscape that sector operators must navigate with precision. This page examines the definition, mechanics, classification, and regulatory context of critical infrastructure cybersecurity in California, drawing on named federal and state authorities.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps
- Reference table or matrix
- References
Definition and scope
Critical infrastructure in the cybersecurity context refers to systems and assets — physical and virtual — whose disruption or destruction would have a debilitating effect on security, public health, economic stability, or public safety. At the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) identifies 16 critical infrastructure sectors, ranging from Energy and Water Systems to Healthcare and Public Health and Financial Services. California's own Office of Emergency Services (Cal OES) maps these sectors to state-level asset inventories maintained under the California Cybersecurity Integration Center (Cal-CSIC).
For the purposes of this page, scope is defined as:
- Infrastructure physically located in California or operated under California jurisdiction
- Systems subject to California Government Code, Public Utilities Code, or sector-specific state statutes
- Entities that interface with federal frameworks (NIST CSF, NERC CIP, HIPAA) while also falling under California regulatory authority
What falls outside this page's coverage: Federal-only infrastructure assets (e.g., military installations, certain federal reservoirs) not subject to California jurisdiction, incidents occurring exclusively on federal networks, and private organizations with no California nexus. Interstate infrastructure where federal preemption applies — such as certain interstate natural gas pipelines regulated by the Federal Energy Regulatory Commission (FERC) — is also not covered in detail here.
For foundational terminology used throughout this discussion, the California Cybersecurity Terminology and Definitions page provides precise definitions of terms including threat actor, attack surface, and operational technology (OT).
Core mechanics or structure
California critical infrastructure cybersecurity operates through a layered architecture combining federal baseline standards, state coordination mechanisms, and sector-specific requirements.
Federal baseline: NIST Cybersecurity Framework (CSF)
NIST CSF 2.0, published by the National Institute of Standards and Technology in 2024, organizes protective activities into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Infrastructure operators in California — whether private utilities, public agencies, or healthcare networks — frequently use CSF as the primary organizing framework, then layer state-specific obligations on top.
NERC CIP for energy sector
California's electric utilities, including investor-owned utilities regulated by the California Public Utilities Commission (CPUC), must comply with NERC CIP (Critical Infrastructure Protection) standards. CIP-013-1, for instance, governs supply chain risk management for bulk electric systems — a requirement with direct operational implications for California entities such as Pacific Gas & Electric, Southern California Edison, and San Diego Gas & Electric.
Cal-CSIC coordination model
Cal-CSIC functions as the state's primary cyber threat fusion center, integrating intelligence from the FBI, DHS, and CISA with state law enforcement and private sector partners. Operators within designated critical sectors can receive threat indicators through the Automated Indicator Sharing (AIS) program administered by CISA.
OT/IT convergence
A structural feature of modern critical infrastructure security is the convergence of operational technology (OT) — SCADA systems, industrial control systems (ICS), and programmable logic controllers (PLCs) — with traditional information technology networks. ICS-CERT advisories, published by CISA, document active vulnerabilities in control systems used by California water districts, gas utilities, and transportation agencies.
The conceptual overview of how California cybersecurity works expands on this layered model with additional framework context.
Causal relationships or drivers
Threat actor targeting
Nation-state groups — specifically those attributed by CISA and the NSA to China (Volt Typhoon), Russia (Sandworm), and Iran (IRGC-affiliated actors) — have demonstrated sustained interest in pre-positioning within US critical infrastructure networks. CISA's 2024 advisory on Volt Typhoon documented compromises of communications, energy, and water sector entities, with California named as a state of concern given its infrastructure density.
Regulatory pressure as a driver
This compliance deadline creates downstream pressure on California-based publicly traded utilities and healthcare systems to maintain incident detection and classification capabilities.
Legacy system exposure
Water treatment facilities and municipal utilities in California commonly operate industrial control systems built before modern cybersecurity standards existed. The EPA's cybersecurity guidance for water utilities documents the specific exposure created when legacy SCADA systems are connected — directly or indirectly — to the internet.
Supply chain interdependency
A single compromised vendor can propagate risk across dozens of California operators. The SolarWinds intrusion (publicly documented by CISA in Alert AA20-352A) illustrated how software supply chain compromise can affect state and local government entities simultaneously. For a deeper treatment of this risk vector, see California Supply Chain Cybersecurity.
Classification boundaries
Critical infrastructure entities in California are not uniformly regulated. Classification determines which frameworks apply:
By sector designation
CISA's 16-sector model assigns each sector a designated Sector Risk Management Agency (SRMA). For example, the Department of Energy serves as SRMA for the Energy sector; HHS for Healthcare. California entities must understand both the federal SRMA requirements and any California-specific overlay from CPUC, the California Department of Water Resources (DWR), or the California Department of Public Health (CDPH).
By entity type: public vs. private
- Public agencies (e.g., municipal water districts, county hospitals, transit authorities): Subject to California Government Code §11546.1 (state agency cybersecurity policy requirements) and oversight by the California Department of Technology (CDT).
- Private operators (e.g., investor-owned utilities, private hospital networks): Subject to CPUC General Order 169 for utilities and HIPAA Security Rule for healthcare, with California Attorney General enforcement authority for data breach statutes.
By system criticality tier
CISA's National Critical Functions (NCF) framework identifies 55 functions deemed most critical to national security and economic stability. California operators whose systems underpin NCFs — such as "Generate Electricity" or "Provide Drinking Water" — face heightened scrutiny under federal-state joint assessments.
The regulatory context for California cybersecurity provides additional detail on how these classification frameworks interact with California-specific statutes.
Tradeoffs and tensions
Information sharing vs. liability exposure
Infrastructure operators are incentivized to share threat indicators through CISA's AIS program, but voluntary sharing carries legal risk if shared data contains customer PII. The Cybersecurity Information Sharing Act (CISA Act) of 2015 provides liability protection for qualifying shares, but operators must implement specific scrubbing procedures before sharing — a process that requires legal and technical coordination.
OT availability requirements vs. security patching
Industrial control systems in water and energy sectors often require near-rates that vary by region uptime. Applying security patches — even critical ones — requires planned downtime that operators are reluctant to schedule. This creates a persistent gap between known vulnerability disclosure dates and remediation timelines, which CISA's Known Exploited Vulnerabilities (KEV) catalog documents with binding remediation deadlines for federal agencies but only advisory timelines for private operators.
State authority vs. federal preemption
California has enacted aggressive cybersecurity-adjacent legislation (CCPA, CPRA, SB 327 for IoT devices), but direct state regulation of federally designated critical infrastructure can conflict with federal preemption doctrines. Interstate gas pipelines regulated by FERC, for example, operate outside California CPUC jurisdiction on cybersecurity matters, creating regulatory gaps at the state boundary.
Transparency vs. security through obscurity
Public disclosure requirements (SEC rule, California data breach notification under Civil Code §1798.82) increase transparency but can expose operational details about critical system vulnerabilities before remediation is complete.
Common misconceptions
Misconception 1: "Only large operators are targeted."
CISA incident data and FBI reporting consistently document attacks against small municipal water systems and rural electric cooperatives. The 2021 Oldsmar, Florida water treatment incident — where an attacker briefly modified sodium hydroxide levels via remote access — involved a facility serving approximately 15,000 residents. California has over 400 community water systems serving fewer than 10,000 connections each, all potentially exposed to similar attack vectors.
Misconception 2: "Air-gapping OT systems provides full protection."
True air-gaps are rare. The majority of ICS environments described as air-gapped have at least one connection path — USB drives, vendor remote access portals, or shared engineering workstations — that provides a reachable attack surface. CISA's ICS security guidance explicitly addresses this assumption.
Misconception 3: "HIPAA compliance equals comprehensive cybersecurity."
HIPAA Security Rule compliance establishes a floor for administrative, physical, and technical safeguards but was designed before modern ransomware and supply chain attacks. California healthcare operators that meet HIPAA minimums may still lack incident response capabilities sufficient to manage a destructive ransomware event. For sector-specific treatment, see California Healthcare Cybersecurity.
Misconception 4: "State and federal frameworks are duplicative."
California statutes such as Government Code §11546.1, CPUC decisions on utility cybersecurity, and the California Consumer Privacy Act impose obligations that go beyond — and in some respects differ from — federal frameworks. Assuming federal compliance satisfies all California obligations is a documented cause of enforcement action.
Checklist or steps
The following represents the general sequence of activities described in public guidance from CISA, NIST, and Cal OES for critical infrastructure cyber risk management. This is a reference sequence, not professional advice.
- Identify assets and dependencies — Conduct a complete inventory of IT and OT assets, including third-party dependencies, using NIST CSF 2.0 Identify function guidance.
- Classify systems by criticality — Map assets to CISA's National Critical Functions and sector-specific regulatory classifications (NERC CIP, AWIA 2018 for water systems).
- Assess current controls against applicable standards — Compare existing controls against NIST SP 800-82 (ICS security) and sector-specific SRMA guidance.
- Identify regulatory reporting obligations — Determine which reporting thresholds apply: CISA's Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) 72-hour reporting rule (final rule pending as of 2024), SEC 4-day disclosure rule, and California Civil Code §1798.82 breach notification timelines.
- Develop and test an incident response plan — Align plan with NIST SP 800-61 (Computer Security Incident Handling Guide) and Cal OES continuity planning standards. See California Cybersecurity Incident Response Planning.
- Implement network segmentation between IT and OT — Follow CISA and NSA joint guidance on OT/IT segmentation (NSA/CISA Cybersecurity Advisory AA20-205A).
- Establish vendor and third-party risk assessments — Screen critical vendors against NERC CIP-013 or NIST SP 800-161 supply chain risk management standards.
- Conduct regular tabletop exercises — Use CISA's Infrastructure Resilience Planning Framework (IRPF) exercise templates.
- Register with Cal-CSIC and CISA's threat sharing programs — Enroll in Automated Indicator Sharing (AIS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) for actionable threat intelligence.
- Document compliance evidence — Maintain audit-ready records consistent with CPUC, CDT, and applicable federal SRMA documentation requirements.
For additional resources tied to California's public sector context, the California Government Cybersecurity Standards page covers CDT and CPUC-specific requirements.
For a broader view of the California cybersecurity landscape that contextualizes critical infrastructure within state-wide security posture, the California Cybersecurity Authority index provides navigational orientation across topic areas.
Reference table or matrix
Critical Infrastructure Sector–Regulatory Framework Matrix (California Context)
| Sector | Federal SRMA | Key Federal Standard | California Regulator | Primary CA Statute/Order |
|---|---|---|---|---|
| Electric Utilities | Dept. of Energy | NERC CIP-002 through CIP-014 | CPUC | CPUC General Order 169 |
| Water & Wastewater | EPA | AWIA 2018, NIST SP 800-82 | CDPH / State Water Board | Health & Safety Code §116275 |
| Healthcare & Public Health | HHS | HIPAA Security Rule, NIST SP 800-66 | CDPH, CA Attorney General | Civil Code §1798.82; CMIA |
| Financial Services | Dept. of Treasury | FFIEC CAT, NIST CSF | CA DFPI | CA Financial Code §4052.5 |
| Transportation | Dept. of Transportation | TSA Security Directives (rail/pipeline) | Caltrans | CA Gov. Code §11549.3 |
| State/Local Government | CISA | NIST SP 800-53 Rev. 5 | CDT | CA Gov. Code §11546.1 |
| Communications | CISA | FCC cybersecurity guidance | CPUC (limited) | CA Public Utilities Code §2892 |
References
- CISA — Critical Infrastructure Sectors
- CISA — ICS Advisories
- CISA — Infrastructure Resilience Planning Framework (IRPF)
- CISA — Volt Typhoon Advisory AA24-038A
- CISA — SolarWinds Advisory AA20-352A
- CISA — OT/IT Segmentation Advisory AA20-205A
- CISA — National Critical Functions
- NIST Cybersecurity Framework 2.0
- [NIST SP 800-82, Guide to ICS Security](https://csrc.nist