Last fall, President Joe Biden signed one of the largest infrastructure packages in history, granting more than $1 trillion to improve national bridges, help climate adaptation, provide broadband Internet to rural areas, and upgrade water and energy systems. The Infrastructure Investment and Employment Act also includes nearly 2 billion US dollars for cyber security, half of which is used for state, local, and tribal government funding programs.
Cybersecurity funding comes at a time when pipelines, power grids, water supply systems, and local governments face a variety of opponents, from ransomware gangs to sophisticated state actors. The money is intended to help them transition from weak security practices and implement advanced security models, such as zero trust.
Mike Hamilton, chief information security officer of Critical Insight and former chief information security officer of the City of Seattle, said that, in particular, government funding can help small organizations with limited resources—especially those located in rural areas. “The U.S. dollar should mainly be used to make local governments achieve basic sanitation, because many are far behind the standard,” he added.
Local governments and private entities operating in critical infrastructure areas (such as energy, transportation, agriculture, and finance, to name a few) are beginning to consider their cybersecurity plans and apply for these grants. Although there is no universal shopping list, experts mentioned several priorities that need to be considered when preparing to apply for these funds.
Create a shopping list
Any type of cyber security planning needs to start with a list of all assets and a risk assessment-applying for federal funds is no exception. Jake Margolis, chief information security officer for the Southern California Metropolitan Water District, said these findings will provide a benchmark for the organization’s needs and start with different types of hosting services to reveal other requirements. He recommends 24/7 managed inspection and response services, outsourced maintenance tasks, and incident response.
Hamilton added that local governments should speed up the implementation of preventive and control measures that may not be in place. He said: “This will reduce the term’possibility of adverse outcomes’ in the risk expression.”
Data analysis techniques should also be at the top of the list.
“I will spend money to integrate governance risk and compliance platform, SIEM [security information and event management] He soaring [security orchestration automation and response] Technology so that I can perform more predictive analysis based on our risk profile,” Margolis said. No.”
Margolis will also spend money to change the way people access the Internet, aiming to have “a very coordinated zero-trust architecture”, although he admits that this is difficult to achieve and costly. “I will spend all my money on this,” he said.
Nevertheless, it is important to train employees and change the culture to help technical professionals in different departments improve their safety skills.
Although grant applications may include a large number of products and services-from endpoint detection and response (EDR) platforms to application whitelisting technology to asset management software-these tools cannot compensate for the lack of security talent. Recruiting and retaining experts is the most critical issue facing the infrastructure sector.
“That will be number one [on the list], But we cannot’buy’ that,” he said. “This is not included in the legislation.
Comply with standards
Several rules are attached to the cybersecurity funding of the Infrastructure Investment and Employment Act. Organizations that want to apply for grants “cannot hire/pay employees and cannot replace existing costs,” Hamilton said. They also need to be prepared to share costs in accordance with federal funding requirements and increase their share over time.
One strategy when writing grant applications is to ensure that the basics are covered.
“[M]Chris Yule, a senior security researcher at the Secureworks Counter Threat Unit, said: “If the security foundation works properly, most incidents can be prevented-identifying vulnerabilities, patching the system, using multi-factor authentication for external access, and using appropriate tools to detect Unusual activity.” should always be the starting point for any organization to assess its security status. “
Yule recommends that organizations adopt a holistic approach and follow methods such as the cyber security framework developed by the National Institute of Standards and Technology (NIST), which is “a proven method to comprehensively improve cyber security maturity,” he said.
In addition to the NIST framework, local governments and critical infrastructure departments can also view the baseline cybersecurity guidelines set by the Federal Acquisition Regulation (FAR) for public procurement or cybersecurity maturity model certification (CMMC), said Razvan E. Miutescu, Whiteford, Partner of Taylor & Preston LLP, specializing in privacy and data security, data management and compliance.
“Actually, the Infrastructure Investment and Employment Law stipulates voluntary standards [i.e., NIST and CMMC] As a legal and technical requirement,” he said. “When formulating and revising cybersecurity plans, deviations from these standards must be carefully recorded and explained, so it is important to understand the substance of these standards. “
Recommendations for establishing grant applications
Safety experts working for local governments and critical infrastructure say that a down-to-earth approach may be the most effective. Although utilities and power grids face unique challenges, most security incidents start like any network intrusion that can be avoided with strong security procedures.
“Focusing on’advanced technology’ can often become a smokescreen,” Yule said.
The cyber security plan should not be science fiction, but a realistic project that takes into account the resources of the organization.
“If we do not consider sufficient staffing, continuous maintenance costs, continuous training and other items before purchasing new shiny tools… Then I am worried that we will eventually encounter many people who think they are more than the actual situation. Good situation,” said Christine Sanders, chief information security officer of the Bernalillo County Water Authority in Albuquerque. “There is no panacea solution, and the benefits are not always worth the cost of implementation.”
Legal aspects also need to be considered, especially for organizations that have few resources and cannot afford to lose. “Legal speaking, work in the procurement and contracting process, transfer the responsibility for product safety to the supplier, and transfer the responsibility as much as possible,” Hamilton said. “Start the annual supplier risk management.”
Finally, those seeking federal funding under the Infrastructure Investment and Employment Act should keep in mind that failure to meet legal requirements may lead to “consequences that are far more ominous than private defaults,” Miutscu added. “Applying is the beginning of a process that requires long-term commitment to what may be a very different way of doing business for funded organizations.”
Although security experts welcomed the legislation, they were concerned about insufficient funding, as there are approximately 90,000 local governments in the United States.
“Overall, cybersecurity only accounts for about 0.2% of the infrastructure bill budget — yes, this is the decimal number before 2, so it’s even less than 1%,” Sanders said. “For such a big problem, this seems to be a very small percentage.”
