Securing Our Nation: How the Infrastructure Investment and Jobs Act Delivers on Cyber Resiliency

Originally published by CrowdStrike here.

Written by Jeff Worthington, CrowdStrike.

Designed to improve our nation’s critical infrastructure, the act is one of the largest federally funded grant programs in history. It provides significant funding to improve your cybersecurity posture so you can focus on delivering services to your communities

Attacks and intrusions on our nation’s vital infrastructure — our electrical grid, water systems, ports and oil supply — are on the rise. For example, as reported by the Pew Charitable Trust in March 2021, hackers changed the chemical mixture of the water supply in Oldsmar, Fla., increasing by 100 times the level of sodium hydroxide (lye) in the water supply. In June 2021, Reuters published an article about how poor cyber hygiene, ineffective cybersecurity practices and the danger of stolen credentials impacted millions of people when a cyberattack interrupted the flow of fuel on the East Coast of the United States. As we hyperconnect our cities and communities, security must be at the forefront of every plan and design.

Recognizing the required investment in the United States, Congress passed the Infrastructure Investment and Jobs Act (IIJA) in November 2021. The IIJA authorizes roughly $1 trillion USD in funding for a number of initiatives that include improving our highways, repairing bridges, creating smart cities, studying the effects of climate change, developing new clean energy technology and both improving and hardening our electrical and water utilities.

For anyone who’s not accustomed to reading legislation, 1,000 pages of complex legislation can be intimidating. States and large cities, as well as larger businesses supporting critical infrastructure, may have entire divisions or established working groups dedicated to understanding and pursuing this and other grant programs. I can only imagine there are numerous small and medium-sized companies, as well as local and tribal governments who, like me, have little experience in taking advantage of the incredible funding opportunities in this and other grants across the federal government.

Here, I will identify some parts of the IIJA your organization may be able to take advantage of. Whether you have people who work with federal grant funding, or not, awareness of this capability to make up for budget shortfalls while building our critical infrastructure is important.

Key IIJA Cybersecurity Funding Provisions

Key provisions of the IIJA provide funds to federal agencies and state, local, tribal and territorial governments, as well as public and private utility and transportation entities, to implement cybersecurity solutions that promote stronger cybersecurity resilience and the ability to assess, detect, identify, mitigate and respond to cyber threats today and into the future.

In particular, the IIJA calls out the U.S. Department of Transportation (DOT), Department of Energy (DOE), Department of Homeland Security (DHS) and Environmental Protection Agency (EPA) for specified cybersecurity funding. Within these provisions, the federal government will provide $3.5 billion USD for key projects that include requirements to improve cybersecurity posture and resiliency, promote intelligence sharing and respond to attacks.

DHS: Layering Our Defenses and Coordinating Our Response

The Cyber Response and Recovery Act and the new State and Local Cybersecurity Grant Program provide over $1.1 billion USD to state, local, tribal and territorial governments including public-private partnerships. These funds are available for seven and five years, respectively, and seek to address cyber risks and threats by supporting threat hunting, network protection and the replacement and modernization of tools and systems. The Cybersecurity Infrastructure Security Agency (CISA), a component agency of DHS, is tasked with defending the infrastructure of the internet and improving its resilience and security for the nation. Each organization must submit its cybersecurity plan when applying for grant funding and, in the case of the State and Local Cybersecurity Grant Program, successful applicants will receive up to 90% of required funding for the first year.

DOT: Improving and Securing Our Roads, Bridges and Ports

As the U.S. transportation system’s networks evolve into a hyperconnected mesh of data and information to make them more efficient, their attack surface exponentially increases. The IIJA directs two specific programs under the DOT to strengthen the cybersecurity posture of the transportation system. The Strengthening Mobility and Revolutionizing Transportation (SMART) grant provides $500 million USD over five years to state, local and tribal governments, and public toll authority and metropolitan planning agencies, to ensure the security of smart cities by implementing cybersecurity best practices. The second program, Advanced Research Projects Agency-Infrastructure (ARPA-I), provides unspecified funding for the advancement of cybersecurity technology solutions that promote the resiliency of roads, highways, bridges, airports, seaports and railways against cyberattacks.

DOE: Keeping the Lights On

The resiliency of the U.S. electrical and power system is critical to national security. Recent years have shown how delicate the grid is, and our adversaries have demonstrated they are adept at attacking power grids. Seven programs provide over $1 billion USD in investment funding to secure research, modernization and resiliency in the energy sector and electrical grid. These projects include maturity models and threat assessments, protection, detection, response and recovery from cyber threats to pilot projects to gain experience with new cyber technology. Each of these provides state, local, tribal and territorial governments, as well as public and private electrical utility companies, with the ability to harden and improve their network defenses, expand cyber defense capabilities and capacity, and gain a clear understanding of their environment and the efficacy of their cybersecurity plans.

EPA: Ensuring Our Drinking Water Is Safe and Sewers Keep Flowing

With two programs valued at $375 million USD over five years, the EPA’s Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program, and the Clean Water Infrastructure Resiliency and Sustainability Program, seek to improve the resiliency of the nation’s water system. This section of the IIJA directs public and private water providers and state and local governments to develop and implement projects that reduce the cybersecurity vulnerabilities of water systems in communities across the United States.