President Biden unveiled a $2 trillion-dollar jobs and infrastructure plan at the end of March that includes at least $100 billion for a variety of infrastructure priorities, including modernizing the electric power grid. The grid has become increasingly vulnerable to a growing number of cyberattacks, so security experts are looking closely at Biden’s proposal to see what kind of funding it contains to address cybersecurity. And it seems that Biden’s infrastructure package could hold a lot of promise for cybersecurity, particularly for the electric grid.
The Washington Post reports that the electric grid “faces millions of attempted intrusions a day,” and these attempted attacks come from domestic and foreign adversaries. Worries about this kind of attack have only grown since Russian hackers shut down Ukraine's power grid in 2015. And this year’s SolarWinds attack during which software used by the power industry (and many others) was breached by Russian hackers highlighted the growing need for protection. Cyberthreats to the grid would wreak havoc, creating massive disruptions and economic wreckage.
But it’s not just the grid, it’s the economy.
“Any infrastructure bill that doesn't include serious money for grid improvements and grid resilience will miss the objective of a resilient economy because the grid will remain vulnerable,” said Jim Cunningham, executive director of Protect Our Power, a nonprofit focused on grid security. Cunningham noted in the Washington Post that public power and municipal utilities “are particularly under-resourced when it comes to making grid improvements and would benefit from infrastructure funding in the form of grants or loans to make costly improvements.” To improve grid security, Cunningham noted, funds also need to be directed to states and to regional grid organizations, so they can “hire new talent to better regulate and address the issue would also help improve grid security.”
Part of the challenge, according to Manny Cancel, Chief Executive Officer of the Electricity Information Sharing and Analysis Center, is that “corporate networks weren’t designed to face off against nation state actors.” The fight is not a fair one.
So how might Biden’s infrastructure package help address the grid’s vulnerabilities to attack? Though Republicans and Democrats probably won’t agree on many parts of the infrastructure package, there is bipartisan support for securing the grid. According to Senator Jim Risch (R-Idaho), infrastructure funding could help address some supply-chain concerns by bringing manufacturing back to the United States. “Supply issues are critical not just to this industry but all industries,” Risch said in the Washington Post. “We’re way too dependent on other manufacturers that aren’t allies to us.”
The Post reports that additional cybersecurity efforts and policy initiatives are in the works. Energy Secretary Jennifer M. Granholm acknowledged, for example, that “Biden’s clean energy goals all depend on resilient electrical infrastructure.” The agency has taken steps to expand its cybersecurity efforts. For example, the Energy Department's Office of Cybersecurity, Energy Security and Emergency Response announced new research dedicated to supply-chain threats. The Biden administration is also working on an initiative to help coordinate with the electric sector to ensure a better response to cyberattacks, according to Bloomberg news reports.
Many additional initiatives are included in the new budget including $900 million for the National Institute of Standards and Technology to go toward research on cybersecurity and other technology priorities. Rep. Yvette D. Clarke (D-New York), chair of the House Homeland Security cybersecurity subcommittee, indicated that she would soon reintroduce a bill with $500 million in funding for state and local cybersecurity.
The Department of Homeland Security is also working to support states struggling with cyber attacks – and some of these states are enacting laws that protect companies against liability, as long as they also enact best security practices. Cynthia Brumfield reports that some states are adopting safe harbor laws against cyberattacks, but these laws are dependent on the adoption of cybersecurity best practices and frameworks. Recent attacks have “sparked calls for liability protection against malicious intrusions,” Brumfield writes. “If organizations want this protection, however, lawmakers say they need to step up their game to implement better cybersecurity practices.” Some states (like Ohio and Connecticut, for example) have enacted laws that “incentivize the adoption of robust and thorough industry-leading cybersecurity frameworks and recommendations such as the National Institute of Standards and Technology’s [NIST] Cybersecurity Framework or the Center for Internet Security’s (CIS) Critical Security Controls by making them requirements for obtaining liability protections.”
States like Connecticut understand the severe threat posed by cyberattacks to states’ infrastructure, businesses, hospitals, schools, and consumers. Democratic State Representative Caroline Simmons introduced the Connecticut safe harbor legislation. “By creating a safe harbor for all organizations in Connecticut that adopt a written cyber plan based on a recognized best practice, like the NIST Cybersecurity Framework or the CIS Critical Security Controls, we will bolster data security for businesses and consumers, as these frameworks have been shown to reduce cyberattacks by 83%," she says.
Of course, even with state and federal support for and laws about cybersecurity, companies still need a well-trained cybersecurity team – something many businesses lack. A recent report by Netsurion highlighted the ongoing shortage of staff and skills. And though cybersecurity technologies continue to develop, becoming more advanced and more available, there has been an over-reliance on products to defend against threats, because it sometimes feels easier (and less expensive) to buy technology than to hire and retain cybersecurity experts. Though technology is, of course, essential to cybersecurity, “it isn’t a standalone solution.” Companies need a skilled cybersecurity workforce. The report’s conclusion: the key is a combination of “people, processes and technology.”
CYRIN can help. CYRIN’s online interactive virtual training platform is designed to improve the skills of IT, engineering and cybersecurity professionals and students. CYRIN contains more than 50 interactive labs where you can train on commonly used tools in network administration and defense, individual and red team/blue team exercises, and numerous attack scenarios where students and trainees must mitigate random attacks on industrial control networks. Each student or trainee receives his/her own virtual instance of the CYRIN cyber range and completes “learn by doing” courses.
Please take a look at our entire course catalog or better yet contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!