Unmanned Systems (UxS) Threats Across the 16 Critical Infrastructure Sectors 

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has designated 16 critical infrastructure sectors, each of which have distinct functions, vulnerabilities, and regulators. CISA uses this categorization to create a common operating picture for both government and private stakeholders, while also enabling specialized Sector Risk Management Agencies (SRMAs) to tailor security measures. This segmentation is especially important when analyzing the emerging threats from unmanned systems: this includes unmanned aircraft systems (UAS), unmanned underwater vehicles (UUVs), unmanned surface vehicles (USVs), and unmanned ground vehicles (UGVs). Because unmanned technologies exploit the air, land, sea, and underwater domains, risks are not evenly distributed.  

• UASs pose broad, cross-sector threats, from surveillance of chemical facilities to disruption of airports and crowded commercial sites, since most sectors have aerial vulnerabilities (surveillance, precision strike, disruption, non-kinetic effects). 

• UUVs, by contrast, are more narrowly aligned with sectors that depend on underwater or coastal assets, such as energy, communications, transportation, dams, bridges, nuclear facilities, and water systems. Port infrastructure (a subset of Transportation) is extremely vulnerable to UUVs. 

• USVs fall in between, representing significant risks to maritime-heavy sectors like ports, maritime shipments, naval facilities, and offshore platforms. USV threats are most potent where maritime infrastructure overlaps with ports, energy terminals, and naval/defense facilities. 

The 16-sector model provides a clear map for evaluating not only where U.S. infrastructure is most vulnerable, but also which unmanned technologies have the greatest potential to cause cascading effects across multiple domains.  

Unmanned vehicles operated by adversaries pose a threat to aspects within all of CISA’s 16 critical infrastructure sectors. High-level, illustrative examples of UxS exploitation of each sector are briefly laid out below: 

1. Chemical Sector 

• UAS: Drone-based surveillance, cyber, or kinetic attacks on storage tanks, pipelines, or transport convoys. 

• UUV/USV: Lower risk unless chemicals are shipped by water (tanker barges, port facilities). 

• Consequence: A kinetic strike or cyber attack could release toxic substances, causing mass casualties and environmental contamination. Surrounding areas would require evacuation and decontamination. National supply chains for fertilizers, plastics, and fuels would be severely disrupted. A major attack could disrupt the global supply chain on all goods requiring chemicals.  

2. Commercial Facilities 

• UAS: High threat for crowded venues such as stadiums, malls, convention centers. Could deliver payloads or conduct reconnaissance. 

• UUV/USV: Minimal, except for waterfront resorts or casinos with marinas. 

• Consequence: An attack on malls, stadiums, or hotels would inflict civilian casualties (a potentially) and economic shock. It would deter tourism and commerce, damaging local economies. Public fear and insurance losses would ripple beyond retail and entertainment sectors. Assassinations on people of high importance are also viable in the age of unmanned systems. The risk for an assassination attempt via a UAS is particularly high in open-roof stadiums. 

3. Communications 

• UAS: Risk to towers, relay stations, satellites (via ground terminals). 

• UUV/USV: Threat to undersea data cables and coastal landing stations. 

• Consequence: Destroying network nodes or satellites would paralyze phone, internet, and broadcast systems using the affected systems. This attack could occur through either a kinetic, cyber, or electronic attack. Emergency responders would lose coordination capabilities. Economic activity dependent on data transfer would halt almost instantly. 

4. Critical Manufacturing 

• UAS: Threat to plants/factories (disruption, sabotage). 

• UUV/USV: Relevant if the manufacturing facility depends on port logistics. 

• Consequence: Attacks on factories or plants would disrupt production of metals, machinery, and electronics. Supply chains would suffer across defense and energy sectors. Prolonged downtime could trigger nationwide shortages and job losses. The knowledgebase in key niche sectors would shrink because of the deaths from these attacks. 

5. Dams 

• UAS: Potential for surveillance or direct attacks on dam structures and control rooms. 

• UUV/USV: Can threaten spillways, gates, or hydroelectric intakes. UUVs and USVs can also be used by actors after they are smuggled into the country and later put into rivers or lakes to go after dams. 

• Consequence: A physical breach or cyber sabotage on a dam could unleash catastrophic flooding downstream. Power generation and water management systems would fail simultaneously. Recovery would require massive engineering and humanitarian response. The destruction of major dams, such as the Hoover Dam, would result in long term power outages, devastation to towns and cities downstream, and cause would be a mass casualty event. Dams downstream from the initial attack would be destroyed as well, compounding the problem. 

6. Defense Industrial Base 

• UAS: Espionage on facilities, testing ranges, production lines. 

• UUV/USV: Maritime espionage near naval shipyards or testing ranges. 

• Consequence: Strikes on contractors or production facilities would delay or cripple weapons manufacturing. National readiness and allied support capabilities would degrade. Classified technology could be destroyed or compromised. Persons with knowledge in niche areas vital to national security could be killed. 

7. Emergency Services 

• UAS: Interference with helicopters, police/fire drones, or direct attacks on response bases. 

• UUV/USV: Low direct risk, though could disrupt rescue craft and communications near ports. 

• Consequence: Targeting fire, police, or EMS facilities would delay lifesaving response. Public panic would rise as 911 networks collapse. Secondary casualties would mount due to lack of rescue capacity. An attack here would be particularly effective when conducted in tandem with an attack that is supposed to cause a mass casualty event and an attack on communications. Cyber and EW are particularly effective in this sector. 

8. Energy 

• UAS: Attacks on refineries, substations, transmission lines, wind/solar farms. 

• UUV/USV: Major threat to offshore oil and gas rigs, undersea pipelines, LNG terminals. 

• Consequence: Kinetic, cyber, and EW attacks on power plants or refineries would cause blackouts and fuel shortages. Transportation and healthcare systems would quickly fail without electricity. Restoration could take weeks or months depending on the size and intensity of the grid damage. 

9. Financial Services 

• UAS: Threat mainly to physical data centers or bank HQs. 

• UUV/USV: Possible disruption of subsea financial data cables. 

• Consequence: Kinetic, cyber, and EW attacks on banks, data centers, or payment systems would freeze transactions and credit access. Markets would crash within hours. Long-term trust in financial institutions could erode globally. This would freeze the economy and cause mass panic, as nearly all transactions performed in the United States are digital. 

10. Food & Agriculture 

• UAS: Attacks on processing plants, livestock facilities, or contamination attempts. 

• UUV/USV: Threats to bulk grain/oil shipping via ports. 

• Consequence: Destruction of processing plants or farms would cause regional shortages and price spikes. Contamination could trigger widespread illness. Supply-chain collapse would lead to rationing and food insecurity. At the very least, food will become more expensive in a market where prices are already rising due to other factors. 

11. Government Facilities 

• UAS: Espionage or attack on embassies, federal buildings, or military bases. 

• UUV/USV: Threats to naval bases, coast guard stations, or island facilities. 

• Consequence: An attack would kill personnel, destroy records, and paralyze administrative functions. Emergency coordination and public communication would falter. Confidence in state authority would suffer. Non-state actors aligned against the USG would gain high support and confidence by taking credit for an attack on government facilities. 

Collection and reconnaissance on government facilities can detect PoL and activities-based intelligence, posing major national security risks. A cyber or EW attack in this sector is more of a major concern for near-peer adversaries. 

12. Healthcare & Public Health 

• UAS: Attacks on hospitals, disruption of emergency transport (e.g., medevac helicopters). 

• UUV/USV: Low, unless targeting hospital ships or coastal supply routes. 

• Consequence: Similar to an attack on emergency services. Hospitals struck or overloaded would be unable to treat mass casualties. Medical supply chains would break down. Disease outbreaks and mortality would surge. 

13. Information Technology 

• UAS: Physical attacks on server farms or cloud data centers. 

• UUV/USV: Disruption of undersea internet cables (critical IT backbone). 

• Consequence: Cyber or physical destruction of data centers would erase critical information. Essential services relying on digital systems would stop. Recovery would be slow even with backups due to lost connectivity. 

14. Nuclear Reactors, Materials, & Waste 

• UAS: High risk for surveillance or direct kinetic/sabotage attacks on reactors or spent fuel storage. 

• UUV/USV: Relevant to nuclear plants with rivers/lake/ocean intakes. 

• Consequence: An attack could release radiation, contaminating vast areas. Panic and long-term evacuation would follow. National energy and environmental consequences would be severe. There would be a loss of confidence in the viability of nuclear energy. 

15. Transportation Systems 

• UAS: Threat to airports, rail yards, highways, border crossings. 

• UUV/USV: High risk to seaports, ferries, bridges, and shipping lanes. 

• Consequence: Attacks on airports, ports, or rail hubs would halt national mobility. Evacuations, trade, and emergency logistics could be crippled. Economic losses could reach billions daily depending on the scope and location of the attack. 

16. Water & Wastewater Systems 

• UAS: Can target water treatment plants, chemical storage, or power supplies. 

• UUV/USV: Can infiltrate or damage intake pipes, outfalls, or coastal pumping stations. 

• Consequence: Strikes and sabotage on treatment plants or pumping stations would cut clean water supply. Disease and sanitation crises would emerge rapidly. Cities would face public-health emergencies within days. 

How can TTI Help?  

Building effectively integrated c-UxS capabilities across 16 separate sectors of critical infrastructure is challenging, but our risk-informed processes can assist in streamlining c-UxS strategies and integration across the USG and industry. TTI’s Strategic Design Approaches (SDA) are exceptionally useful for addressing unmanned systems challenges by allowing organizations to visualize, anticipate, and adapt to problems. TTI is committed to addressing these challenges through comprehensive strategies that help communities build resilience and preparedness. Specifically, TTI’s Risk-Informed Opportunity Sequences (RIOS) methodology can assist decision-makers across industry, the SRMAs, and federal, state, and local governments understand what activities should be prioritized to ensure the mission does not fail.  RIOS serves as the synchronization engine, integrating risk and opportunity data streams to produce execution sequences that balance risk resilience with the enablement of proactive opportunities. 

1. Orient & Frame: Reference the hierarchy of strategic guidance documents to trace national policy through strategy, plans, and tactics, defining the Desired Environment. We use GAP to compare this desired state against current capabilities, establishing a baseline grounded in a shared understanding. 

• Align Programs to Risk. Drawing from TTI’s Gap Analysis and Prioritization (GAP) methodology, RIOS will align strategic objectives with the operational requirements of all national security stakeholders. TTI delivers impact-scored gap-bridging assessments to inform data-driven decisions about where to invest, sustain, streamline, or divest of the full array of programs in these portfolios. For countering UxS through the scope of protecting critical infrastructure, it is critical to consider the cooperation between the public and private sectors. 

2. Characterize Risk: Our Tension Worksheets identify obstacles blocking objectives. Risks are characterized (analyzing probability and consequence) leveraging intelligence analysis, and prioritized by scoring for risk to mission and force impact. 

• Risk-Informed Resourcing. TTI’s Risk Prioritization & Mitigation (RPM) methodology is a rigorous, formalized process to elicit, collect, and analyze risk considering critical infrastructure to determine patterns and trends that can be further honed toward highly impactful mission support to each sector. Using both qualitative and quantitative methods, TTI communicates assessment findings, and conclusions, in metric-driven, actionable recommendations considering the challenges posed by unmanned systems. This methodology would be a crucial step for identifying vulnerabilities (and prioritizing how to close these gaps) whether they be different mission sets (for federal, state, or local agencies) or parts of infrastructure sectors. 

3. Develop Opportunities: Gather input from mission partners to identify actionable and innovative opportunities, leveraging partner capabilities to proactively shape the environment, integrating with successful threat mitigation efforts. 

• RIOS Identifies and prioritizes latent capabilities and innovations, augmenting the c-UxS strategy by expanding the focus from strengthening defense to identifying strategic opportunities that enable the USG to retain the initiative, including upstream alternatives for detection and avoidance. 

4. Sequence & Synchronize: Organize risk mitigation activities and opportunities into decision-ready Courses of Action (COAs) for execution and continuous evolution. CCAAAPPI elements are sequenced to ensure all stakeholders achieve alignment to sequentially achieve desired outcomes. 

• COAs are sequenced using CCAAAPPI elements for execution of primary and alternative options. This process ensures the solution is viable across all c-UxS stakeholders (DoW, Interagency, and commercial mission partners) while driving alignment to desired outcomes sequentially. The resulting mission-derived risks and opportunities should also be considered in the planning of future exercises for each critical infrastructure sector.