Last fall, President Joe Biden signed into law one of the largest infrastructure packages in history, allocating more than $1 trillion to improve the nation's bridges, help climate resilience, bring broadband Internet to rural areas, and upgrade the water and energy systems. The Infrastructure Investment and Jobs Act also includes almost $2 billion for cybersecurity, half of which goes to a grant program for state, local, and tribal governments.
The cybersecurity funding comes at a time when pipelines, power grids, water systems, and local governments have various adversaries, ranging from ransomware gangs to sophisticated state actors. The money is meant to help them transition from weak security practices and implement advanced security models, such as zero trust.
In particular, the government funds can help small organizations with limited resources — especially those based in rural areas, says Mike Hamilton, CISO at Critical Insight and former CISO for the city of Seattle. "Dollars should be focused primarily on bringing local governments up to a basic state of hygiene because many are far behind standards," he adds.
Local governments and private entities operating in the critical infrastructure sector (such as energy, transportation, agriculture, and finance, to name a few) are starting to think about their cybersecurity initiatives and applying for these grants. While there is no universal shopping list, experts mention several priorities to consider while preparing to apply for these funds.
Building the Shopping List
Any kind of cybersecurity planning needs to start with an inventory of all assets and a risk assessment — and applying for federal funding is no different. Those findings would give a baseline on what the organization needs, as well as uncover additional requirements, starting with different types of managed services, says Jake Margolis, CISO at Metropolitan Water District of Southern California. He suggests managed detection and response services that work 24/7, outsourcing maintenance tasks, and incident response.
Local governments should come up to speed with preventive controls that may not be in place, Hamilton adds. "This will buy down the 'likelihood of a bad outcome' term in the risk expression," he says.
Data analytics technology should also appear high on the list.
"I would spend the money to stitch together governance risk and compliance platforms, SIEM [security information and event management] and SOAR [security orchestration automation and response] technology, so that I can get more predictive analytics based on our risk posture," Margolis says. "When you have those tools talking to each other, you're pulling in information from various sources … which allows you to understand what you're up against."
Margolis would also spend money on transforming how people access the network, aiming to have "a nicely harmonized zero-trust architecture," though he admits this is hard to achieve and expensive. "I would have spent all the money on this," he says.
Still, it is important to train employees and change the culture, helping technology professionals across different departments upgrade their security skills.
While grant applications could include plenty of products and services — from endpoint detection and response (EDR) platforms, to application whitelisting technologies, to asset management software — these tools cannot compensate for the lack of security talent. Hiring and retaining experts are issues most critical infrastructure sectors struggle with.
"That would be No. 1 [on the list], but we can't ‘buy’ that," he says. "It's not included in the legislation."
Follow the Standards
The Infrastructure Investment and Jobs Act’s cybersecurity funding comes with a couple of rules attached. Organizations that want to apply for grants "can't hire/pay employees, can't supplant existing costs," Hamilton says. They also need to be prepared to chip in toward the costs, as mandated by federal grants, and increase their share over time.
One strategy when writing the grant application is to make sure the basics are covered.
"[M]ost incidents could have been prevented had security basics been done properly — identifying vulnerabilities, patching systems, using multifactor authentication for external access, and using appropriate tools to detect unusual activity" says Chris Yule, senior security researcher at Secureworks Counter Threat Unit. “This should always be the starting point for any organization evaluating their security posture.”
Yule recommends organizations take a holistic approach and follow methodologies such as the Cybersecurity Framework set forth by the National Institute of Standards and Technology (NIST), which is a "well-established way of raising cybersecurity maturity across the board," he says.
In addition to the NIST framework, local governments and critical infrastructure sectors can also look at the baseline cybersecurity guidelines set in the Federal Acquisition Regulation (FAR) for public procurement or the Cybersecurity Maturity Model Certification (CMMC), says Razvan E. Miutescu, a partner at Whiteford, Taylor & Preston LLP, where he specializes in privacy and data security, data management, and compliance.
"Effectively, the Infrastructure Investment and Jobs Act casts what were voluntary standards [i.e., NIST and CMMC] as legal and technical requirements," he says. "Deviations from these standards must be scrupulously documented and explained in the development and revision of cybersecurity plans, so it is critical to understand what these standards include substantively."
Advice for Building the Grant Application
Security experts working for local governments and critical infrastructure say that a down-to-earth approach might be the most effective. While utilities and the electric grid face unique challenges, most security incidents begin just like any network intrusion that can be averted with a robust security program.
"Focusing on 'advanced technologies' can often be a smokescreen to this," says Yule.
A cybersecurity plan shouldn’t be a science-fiction novel but a realistic project, which takes into account the organization’s resources.
"If items such as adequate staffing, ongoing maintenance costs, ongoing training, etc., aren't considered before purchasing new shiny tools … then I'm afraid we'll end up with a lot of shelfware and executives who think they're in a better situation than they really are," says Kristen Sanders, CISO at the Albuquerque Bernalillo County Water Utility Authority. “There is no silver bullet solution, and the benefit isn’t always worth the cost of implementation.”
There are also legal aspects to consider, particularly by organizations with few resources that cannot afford to lose money. "Legally, work on the procurement and contracting processes to move responsibility for product security onto vendors and shift liability as possible," says Hamilton. "Begin conducting annual vendor risk management."
Lastly, those who seek access to federal funding under the Infrastructure Investment and Jobs Act should bear in mind that failure to meet legal requirements can result in "consequences far more ominous than a private breach of contract," adds Miutescu. "The application is the beginning of a process and will require a long-term commitment to what may be a very different way of doing business for funded organizations."
While security experts welcome the legislation, they worry the funding is hardly enough, given that there are around 90,000 local governments in the US.
"In the grand scheme of things, cybersecurity only makes up about 0.2% of the infrastructure bill's budget — yes, that's a decimal in front of the 2, so not even 1%," Sanders says. "That seems like an awfully small percentage for something that is such a big problem."