Some of the key provisions of the American Jobs Plan that support critical infrastructure cybersecurity include:
- Make $20 billion in energy infrastructure investments for state, local and tribal governments contingent on cyber modernization
- Create a new tax credit for transmission infrastructure that will help finance cyber technologies for the electric grid
- Improve security monitoring and incident response activities [by providing an additional $650M in funding to the Cyber Security and Information Agency (CISA) for the stated purposes]
If carried out as described, the actions proposed in the American Jobs Plan will help bolster the cybersecurity posture of American critical infrastructure. However, they do not go far enough to address the vast scale and scope of the problem we are facing. While the disruption of the Colonial Pipeline was certainly significant, as reported the attack was simply commoditized ransomware –nation states and cybercriminals currently have the capability to destroy and disable critical infrastructure for far longer than we saw with Colonial by targeting OT systems rather than IT systems.
As information technology (IT) and operational technology (OT) systems have converged, cyber adversaries have become increasingly aggressive in pursuing cyber-physical effects such as critical infrastructure downtime, asset damage, and process manipulation. This has put business continuity and human safety at risk, and further ensured that adopting zero-trust visibility at every level of the industrial control system (ICS) is critical to an organization’s security posture.
While the described block grant and tax credit programs are certainly needed, smaller critical infrastructure organizations often lack sufficient expertise in OT security best practices to properly monitor and defend their critical assets. These programs must also be followed up with technical assistance beyond existing government frameworks (such as NIST’s Guide to Industrial Control System Cybersecurity) that recommends specific technology stacks so that recipients can most effectively leverage these programs.
The scope of potential recipients of block grant programs should be expanded to ensure that small privately-owned utilities and rural electric co-ops are included. These organizations are critical to our nation’s energy infrastructure, yet only municipal public utilities appear to be included as eligible for the DOE-administered block grants. By helping State, Local, and Tribal governments as well as privately-owned critical infrastructure organizations secure adequate resources, develop domain expertise, and procure effective technologies, the Biden Administration can encourage robust adoption that helps to enhance the cybersecurity posture and resiliency of the nation’s critical infrastructure.