Jan 19 2022

Infrastructure Act Includes Funding to Shore Up Cybersecurity for Utilities

Newly signed legislation offers federal money for wide-ranging efforts to improve cybersecurity and prevent attacks on critical infrastructure.

President Biden signed a long-anticipated infrastructure bill into law in November that includes nearly $2 billion to improve cybersecurity for critical infrastructure. 

According to the White House’s Nov. 6 fact sheet, the legislation — known as the Infrastructure Investment and Jobs Act — is “the largest investment in the resilience of physical and natural systems in American history,” one that “makes our communities safer and our infrastructure more resilient to the impacts of climate change and cyberattacks.”

The number and sophistication of cyberattacks have increased steadily throughout the pandemic, and utilities have become frequent targets. Cybersecurity training programs are eligible for much of the funding provided by the law, and many utilities stand to benefit from learning new defense tactics. 

Click the banner below to receive exclusive security content when you register as an Insider.

Funding Intends to Protect Against Cyberattacks 

The act provides a variety of funding opportunities to enhance protection for critical infrastructure and provide greater broadband access across the country. It specifically designates $1.9 billion for cybersecurity and $65 billion to expand internet access.

Of the funding set aside to assist DHS in enhancing the nation’s cybersecurity, the act designates $100 million over four years in aid to the public and private sector that would be allocated by CISA if DHS declares an attack to be a “significant incident.” In addition, it sets aside nearly $158 million for research in cybersecurity and related areas by DHS’ science and technology wing, while CISA would receive $35 million for sector risk management work.

In addition, the legislation establishes two $250 million programs at the Department of Energy, one for rural and municipal utility security and another for grid security research and development. At the EPA, the law would provide additional funding for programs meant to address water cybersecurity threats.

READ MORE: Learn why ransomware continues to be a threat to the energy sector.

Act Creates New Fund for Cybersecurity Resources

In addition to the funding to fill vacancies, the legislation gives the Office of the National Cyber Director a $21 million budget and creates a $100 million Cyber Response and Recovery Fund over the next five years. 

The law gives CISA broad discretion to use the funds for vulnerability assessments, malware analysis, threat detection and hunting, and network protections, among other purposes. The funding is available to both private and public groups that have been negatively affected by significant cyber incidents.

According to the Government Accountability Office: “The federal government has a significant role in addressing cybersecurity risks facing the electricity grid, even though most of the grid is owned and operated by private industry. The Department of Energy has developed plans to implement a strategy for addressing grid cybersecurity risks, and the Federal Energy Resource Commission has approved mandatory grid cybersecurity standards.”  

Educating utilities about cybersecurity and assisting in disaster recovery is now a federal government responsibility, and affected organizations should take advantage of the newly available funds.

READ MORE: Learn about the ongoing development of federal cybersecurity policies.

Common Tech Solutions Could Boost Security for Utilities

It’s become typical for cybersecurity experts to advise that the likelihood of a cyberattack is no longer a matter of if, but when, and the energy and utility sector is not exempt.

Regardless of size, all organizations should assume they will be targeted. And with the ever-evolving threat landscape, some common incident response strategies are advisable across many industries.

Developing a playbook for incident response and engaging in security assessments and tabletop exercises can greatly improve an organization’s defenses. For utilities, which have been designated as critical infrastructure, the federal government now provides funding to implement many of those tools.

Getty Images/ Thinkhubstudio

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT