The United States government’s limited investment in the industrial infrastructure sector can be attributed to a lack of political will and leadership that has lasted for decades. However, the 2021 Infrastructure Improvement and Jobs Act (IIJA) remedies this inaction by distributing grant money and loans to utilities and water/wastewater plants. The 2021 legislation looks to be the best of both worlds—focusing on cybersecurity resilience and plant modernization objectives and providing latitude to federal departments on how to spend the money.
The IIJA bill distributes $1.3 billion to multiple industries over the next four years, which includes water/wastewater, utilities, transportation and tribal land entities. To help reduce the complexity of the bill, the White House released the Bipartisan Infrastructure Law Guidebook in late January. This offers grant program descriptions, objectives, funding mechanisms, key dates, departments providing money, eligibility and milestones. Applications for programs will be found at Build.gov.
One theme emerging from the bill is that more resilience is essential for all infrastructure industries. A $250 million loan by the Department of Energy (DoE) to rural and municipal utilities – smaller entities – looks to “protect against, detect, respond to and recover from cybersecurity threats” while deploying advanced cybersecurity technologies and a goal of moving toward participation in cybersecurity threat information sharing programs.
This loan’s requirements reveal both flexibility and specifics, while acknowledging the lack of modern plant equipment or systems to enable efficient information sharing.
While the North American Reliability Corp (NERC) CIP standard oversees the electric grid, the water segment doesn’t comply with any regulatory framework on cyber resilience, making it vulnerable. Due to this neglect, equipment and network upgrades are lagging. Luckily, the federal government and industry know this.
In addition to the Infrastructure Improvement and Jobs Act, the Environmental Protection Agency (EPA) announced a 100-day action plan to accelerate cyber resilience in the water/wastewater sector.
“There is absolutely inadequate resilience across the water sector, but the cyber resilience initiative is voluntary,” said EPA senior officials on Jan. 27, published here. Also noted is the federal government’s limited regulatory authority to impose cybersecurity requirements on the water sector. However, the 100-day action plan has two goals, according to a senior official: To promote the adoption of technologies that allow earlier detection of cyber threats and to promote “rapid sharing of cyber threat data” with the U.S. government “in a secure[d] fashion.”
“Although IIJA has many provisions for strengthening the nation’s overall cyber defenses, it’s a bit challenging to know what that means specifically for operational technology (OT) security programs,” said Don Dickinson, senior business development manager at Phoenix Contact.
“If people are expecting the federal government to protect them from cybersecurity events, then there is a kind of misunderstanding of the federal government’s role,” said Richard Robinson, CEO of Cynalytica.
While many are debating the language of the IIJA bill, a sizeable portion of the funding for the water sector will be available through state revolving funds (SRFs) that are administered by the EPA, making money available at the state level. SRFs have been in place for several decades and can be a loan assistance program or matching funds. Their history points to efficient use of funds for capital projects in the municipal water sector.
The Infrastructure Improvement and Jobs Act allocates $44 billion in SRFs for states, territories and tribes over the next five years, while setting aside $7.4 billion for 2022.
Part of the cybersecurity conversation includes the America’s Water Infrastructure Act of 2018 (AWIA18), which requires drinking water utilities serving more than 3,300 people to conduct a risk and resilience assessment (RRA) to identify vulnerabilities. An RRA includes an assessment of physical risks and cybersecurity risks. Within six months of conducting an RRA, AWIA18 also required utilities to develop emergency response plans (ERPs) that provide a process that mitigates vulnerabilities found in the RRAs.
“Every drinking water utility should have an ERP to mitigate risk, including cyber risks. IIJA now can provide funding to make these ERPs a reality,” said Dickinson. “My recommendation for anyone in the water/wastewater sector is to act now.”
The Infrastructure Improvement and Jobs Act provides the funds to implement capital improvement projects that have been previously planned. Projects can include the replacement of, or significant upgrades to, legacy control and supervisory control and data acquisition (SCADA) systems. That includes provisions for strengthening the security posture of the automated systems controlling critical processes.
“Utilities and companies need money for operations and technology, because you can’t build a wall around SCADA,” said Sam May, senior compliance consultant at Steel Root. “Operations need to build processes and adding cybersecurity tools without proper infrastructure in place isn’t going to do it.”
The lead department distributing federal funds for state and local municipalities and their information technology (IT) systems is the Cybersecurity and Infrastructure Security Agency (CISA). They will allocate $1 billion in state and local cybersecurity funds over four years, starting in the third quarter of 2022 (which starts in April 2022).
There’s also a David and Goliath dynamic throughout this act as small, municipally owned electric utilities or rural electric cooperatives compete against larger water/wastewater districts or utilities for funding.
“If the government wants to be serious about cybersecurity for entities under a certain revenue threshold, they should be providing these services for free for utilities under $20 million,” said May. “Why don’t we have a government body that provides cybersecurity assessments and a list of cybersecurity solutions that can fix these issues?”
There has been debate that CISA could offer security assessments and identify security gaps for industries in the unpassed Build Back Better, but the bill has stalled and further discussion around cybersecurity federal services is yet to happen.
“If people are expecting the federal government to protect them from cybersecurity events, then there is a kind of misunderstanding of the federal government’s role,” said Richard Robinson, CEO of Cynalytica. “The federal government is putting in systems to protect the federal government and there’s a sentiment among some quasi-government and commercial operators that it’s the federal government’s responsibility to protect critical infrastructure components.”
Industrial networking standards
Funding and attention for cybersecurity in the infrastructure space has been minimal, but industry groups have elevated cybersecurity standards and frameworks. The IIJA legislation relies on industry groups’ frameworks or standards, such as National Energy NERC CIP, which set critical infrastructure cybersecurity standards.
The American Water Works Association (AWWA) developed sector-specific guidance based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was recently updated in 2018. This voluntary framework is a risk-based approach that prioritizes cybersecurity resources and action to reduce cyber risk. Both the framework and the AWWA guidance reference the International Society of Automation (ISA) and International Electrotechnical Commission (IEC) 62443 standard that addresses managing cyber risks for industrial automation and control systems.
While many industry analysts like the Infrastructure Improvement and Jobs Act’s language and focus, some critics hope previous pilot projects will be used for cyber resilience guidance in 2022 and beyond to allow funding for critical asset projects. Many industry analysts say more cybersecurity training is needed for operations teams — especially for smaller utilities, cooperatives and water districts — but this isn’t explicitly identified in the IIJA.
The bill’s language could provide enough flexibility for immediate plant modernization projects for increased monitoring and communication. All other indicators from the executive branch show an understanding of the challenges, along with the willingness to place money where it should go.