Protecting Florida Critical Infrastructure from Cyber Threats
Florida's critical infrastructure sectors — spanning water utilities, energy grids, seaports, transportation networks, and healthcare systems — face a concentrated and escalating threat environment that intersects federal sector-specific mandates, state statutory obligations, and operational technology vulnerabilities unique to industrial control systems. This page maps the regulatory landscape, threat classification framework, and sector-specific structural protections governing critical infrastructure cybersecurity in Florida. It addresses the federal agencies, Florida statutes, and sector regulations that define both baseline requirements and enforcement authority. Professionals, operators, and researchers working in this space will find here a structured reference to how Florida's critical infrastructure protection regime is organized and where responsibilities are allocated.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
Critical infrastructure cybersecurity, as framed by Presidential Policy Directive 21 (PPD-21), encompasses the protection of systems and assets — physical and virtual — so vital that their incapacitation or destruction would have a debilitating effect on national security, economic stability, or public health. The Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) recognize 16 critical infrastructure sectors nationally, of which Florida has concentrated exposure in at least 7: energy, water and wastewater systems, healthcare and public health, transportation systems, communications, financial services, and government facilities.
At the state level, Florida Statute § 282.318 assigns the Florida Department of Management Services (DMS) cybersecurity oversight responsibilities for state agency systems. The Florida Digital Service, operating under DMS, coordinates statewide cybersecurity strategy and is accountable for the Florida Statewide Cybersecurity Strategy. Florida-specific infrastructure cybersecurity operates within a layered framework: federal sector-specific agency (SSA) regulations set floors, state statutes impose parallel obligations on government-operated infrastructure, and local utility or agency governance adds operational specificity.
Scope and coverage limitations: This page addresses critical infrastructure cybersecurity within Florida's geographic and jurisdictional boundaries. Federal regulatory regimes (e.g., NERC CIP for bulk electric systems, TSA Security Directives for pipelines, NRC regulations for nuclear facilities) apply to Florida operators but are not administered by Florida state agencies. Florida-chartered private entities operating critical infrastructure are subject to their federal SSA requirements and, where applicable, Florida statutes — but private-sector operators outside state contracts or government-owned systems are not under DMS jurisdiction. For adjacent state-agency cybersecurity obligations, see Florida Department of Management Services Cybersecurity.
Core mechanics or structure
Florida's critical infrastructure cybersecurity structure operates through three interlocking layers.
Federal sector-specific agencies (SSAs): Each of the 16 critical infrastructure sectors is assigned an SSA under PPD-21. For Florida's most exposed sectors: the Department of Energy oversees energy sector cybersecurity; the Environmental Protection Agency (EPA) administers water sector requirements under the America's Water Infrastructure Act of 2018; the Department of Health and Human Services (HHS) governs healthcare infrastructure under HIPAA Security Rule standards (45 CFR Part 164); and the Transportation Security Administration (TSA) governs port and surface transportation security.
State coordination layer: Florida's Cybersecurity Operations Center (CSOC), housed within DMS, provides 24/7 threat monitoring for state agency networks and coordinates incident response across agencies. The Florida Fusion Center, operated by the Florida Department of Law Enforcement (FDLE), facilitates threat intelligence sharing between state, federal, and private critical infrastructure operators.
Operational technology (OT) and industrial control systems (ICS): A defining structural feature of critical infrastructure cybersecurity is the presence of OT environments — SCADA systems, distributed control systems, and programmable logic controllers — that differ fundamentally from traditional IT environments. NIST Special Publication 800-82 (Guide to Operational Technology Security) provides the primary federal framework for securing these environments. Florida water utilities, energy generation facilities, and seaports operate OT networks that require distinct segmentation, patching, and monitoring strategies compared to enterprise IT.
The Florida port and maritime cybersecurity domain adds a further layer of maritime-sector TSA and U.S. Coast Guard (USCG) regulatory requirements under the Maritime Transportation Security Act (MTSA), codified at 33 CFR Parts 101–106.
Causal relationships or drivers
Florida's critical infrastructure faces elevated cyber threat exposure driven by four identifiable structural factors.
Geographic concentration of high-value targets: Florida hosts 15 commercial seaports, 3 nuclear power plants, 67 county-level water utilities, and the primary location of major financial institutions. This density creates a concentrated attack surface that threat actors — including nation-state actors from adversaries identified in CISA's 2023 National Cyber Threat Assessment — actively prioritize.
Legacy OT infrastructure age: Water and wastewater systems in Florida, particularly in municipalities with deferred capital investment, operate control systems installed 15 to 25 years ago — systems designed before network connectivity was standard and for which vendor patches may no longer be issued.
Ransomware targeting public utilities: The 2021 Oldsmar, Florida water treatment facility incident — in which an attacker remotely adjusted sodium hydroxide levels to 111 times the safe concentration before an operator intervened — demonstrated the real-world consequence pathway from cyber intrusion to public health risk. The FBI and CISA joint advisory AA21-042A on this incident remains a benchmark case study. For the broader ransomware threat environment, see Florida Ransomware Threats.
Regulatory fragmentation: Critical infrastructure operators in Florida navigate SSA requirements, state DMS mandates, and sector-specific standards (NERC CIP, HIPAA, PCI-DSS for payment systems in hospitality) simultaneously, with no single unified compliance framework. This fragmentation produces gaps, particularly at the IT/OT boundary where neither traditional IT security controls nor OT security frameworks fully apply.
Classification boundaries
Florida critical infrastructure cybersecurity is classified along three primary axes:
By sector: CISA's 16-sector model applies, with sector-specific regulatory frameworks and SSAs for each. Florida's highest-risk sectors by incident history and regulatory attention are water/wastewater, energy (particularly bulk electric), healthcare, and transportation.
By infrastructure ownership: Government-owned infrastructure (state agencies, county utilities, public water systems) falls under DMS oversight and Florida Statute § 282.318. Privately-owned but federally regulated infrastructure (investor-owned utilities, private hospitals) falls under federal SSA jurisdiction with state authorities as secondary actors. Hybrid public-private arrangements (e.g., public-private port authorities) are governed by layered MTSA and state authority.
By system type — IT vs. OT:
- IT systems: Enterprise networks, databases, cloud environments — governed by NIST SP 800-53 controls and Florida DMS security standards.
- OT/ICS systems: SCADA, DCS, PLCs — governed by NIST SP 800-82, IEC 62443 industrial standards, and sector-specific SSA guidance.
- Cyber-physical systems: Systems where a cyber event produces direct physical consequence (e.g., water chemical dosing, grid frequency control) — subject to highest-consequence planning requirements under CISA's Cross-Sector Cybersecurity Performance Goals (CPGs).
Tradeoffs and tensions
Connectivity vs. isolation: OT security best practice prescribes air-gapping critical control systems, but operational efficiency and remote monitoring demands increasingly push toward network connectivity. This tension is unresolved across Florida's water and energy sectors, where remote monitoring reduces operational cost but expands attack surface.
Information sharing vs. liability exposure: Voluntary threat intelligence sharing between private critical infrastructure operators and CISA or the Florida Fusion Center is protected under the Cybersecurity Information Sharing Act (CISA 2015), which provides liability protection for qualifying submissions. However, operators frequently resist disclosure of vulnerability data that could be exposed through public records requests. The Florida Public Records Cybersecurity Exemptions framework addresses some of this tension under § 119.0714, Florida Statutes, which exempts certain cybersecurity plans and system information from mandatory disclosure.
Compliance vs. security: Meeting a compliance checklist (e.g., NERC CIP standards for bulk electric systems) does not guarantee operational security. NERC CIP standards are binary pass/fail at a point in time; the adversary threat is continuous and adaptive. Operators that optimize for audit passage rather than continuous monitoring may present compliant but vulnerable postures.
Vendor and third-party risk: Florida's critical infrastructure operators extensively use third-party managed service providers, SCADA vendors, and cloud services. The Florida vendor and third-party cybersecurity risk landscape reflects a sector where supply chain compromise — as demonstrated in the SolarWinds event affecting government and utility clients — can introduce risk that no operator-level control can fully mitigate.
Common misconceptions
Misconception: Air-gapped OT systems are safe from cyber attack.
Correction: Air gaps are not absolute. The Stuxnet campaign — documented in open-source analysis by Symantec and subsequently by ICS-CERT (now CISA) — demonstrated that removable media, supply chain compromise, and insider access can breach air-gapped environments. CISA's ICS advisories regularly document vulnerabilities in systems operators believed were isolated.
Misconception: Federal SSA compliance covers all Florida operator obligations.
Correction: Florida Statute § 282.318 imposes independent state cybersecurity requirements on state agencies and units of government operating infrastructure. Federal compliance does not satisfy state statutory obligations, and vice versa. Public water systems operated by county governments, for example, face both EPA cybersecurity assessment requirements and DMS-aligned state reporting obligations.
Misconception: Cyberattacks on critical infrastructure are only a concern for large utilities.
Correction: CISA's 2022 advisory AA22-137A on attacks against industrial control system devices specifically identified small and medium-sized water utilities as targets because they typically have weaker security postures. Florida has 67 county water systems of varying size, and the smallest are statistically most exposed. For broader threat landscape context, see Florida Cyber Threat Landscape.
Misconception: The Florida Information Protection Act (FIPA) covers critical infrastructure breach response.
Correction: FIPA (Florida Statute § 501.171) governs notification obligations for breaches of personal information held by covered entities. It does not govern operational technology incidents, control system compromises, or infrastructure disruption events that do not involve personal data. OT incident response follows a separate framework. See Florida Cybersecurity Incident Response for the applicable framework.
Checklist or steps (non-advisory)
The following discrete process phases describe how Florida critical infrastructure cybersecurity programs are structured under CISA and NIST guidance. This is a reference sequence, not prescriptive professional advice.
Phase 1 — Asset inventory and categorization
- Identify all IT assets, OT assets (SCADA, DCS, PLCs), and cyber-physical interfaces
- Apply FIPS 199 categorization (Low/Moderate/High) to information systems per NIST SP 800-60
- Identify OT systems with physical consequence pathways
Phase 2 — Risk and vulnerability assessment
- Conduct Cybersecurity Evaluation Tool (CSET) assessment per CISA methodology
- Apply sector-specific vulnerability frameworks (NERC CIP for electric; EPA VSAT for water)
- Document IT/OT network boundary configurations and interdependencies
Phase 3 — Baseline control implementation
- Implement CISA Cross-Sector Cybersecurity Performance Goals (CPGs) as minimum baseline
- Apply NIST SP 800-82 Rev 3 controls to OT environments
- Segment OT from IT networks with enforced access control at the boundary (DMZ architecture)
Phase 4 — Continuous monitoring and detection
- Deploy OT-aware intrusion detection (passive monitoring protocols — Zeek, Dragos, or equivalent)
- Establish logging and retention aligned with NIST SP 800-92 guidelines
- Connect monitoring output to Florida CSOC or CISA's EINSTEIN detection network where eligible
Phase 5 — Incident response planning and exercise
- Develop sector-specific incident response plan conforming to NIST SP 800-61 Rev 2
- Coordinate with Florida Fusion Center for threat intelligence integration
- Conduct annual tabletop exercise with scenarios including ransomware, OT disruption, and supply chain compromise
Phase 6 — Reporting and regulatory compliance verification
- File required cybersecurity assessments with applicable SSA (EPA, DOE, HHS)
- Report significant incidents to CISA (mandatory reporting under CIRCIA once sector rules finalized) and to DMS CSOC for state-agency operators
- Retain documentation per Florida Statute § 282.318 and applicable federal records requirements
Reference table or matrix
Florida Critical Infrastructure Sector Cybersecurity Reference Matrix
| Sector | Primary SSA | Key Federal Standard | State Authority | Florida Statute / Reference |
|---|---|---|---|---|
| Water & Wastewater | EPA | AWIA 2018 Risk & Resilience Assessment | DMS / DEP | § 282.318 (state systems); EPA AWIA |
| Energy — Bulk Electric | FERC / NERC | NERC CIP Reliability Standards | PSC (regulatory oversight) | NERC CIP (federal floor); PSC dockets |
| Healthcare & Public Health | HHS / CISA | HIPAA Security Rule (45 CFR 164) | AHCA | § 395.3025; HIPAA federal enforcement |
| Transportation — Seaports | DHS / TSA / USCG | MTSA (33 CFR 101–106) | FDOT | FDLE Fusion Center coordination |
| Communications | CISA | FCC cybersecurity framework | FDOT / FCC | Federal primary; state coordination |
| Financial Services | Treasury / CISA | FFIEC IT Handbook; GLBA | OFR (state charter) | § 655.0322; OFR examination |
| Government Facilities | CISA / GSA | FISMA; NIST SP 800-53 Rev 5 | DMS | § 282.318; DMS security standards |
The full regulatory context governing Florida operators across these sectors is mapped in the Regulatory Context for Florida Cybersecurity reference.
For a comprehensive orientation to how Florida's cybersecurity sector is organized and where critical infrastructure protection fits within the broader state framework, the Florida Security Authority index provides entry-point navigation to sector-specific, regulatory, and workforce reference pages.
References
- [Cybersecurity and Infrastructure Security Agency (CISA) — Critical Infrastructure](https://www.cisa.gov/topics/critical-