- The bipartisan infrastructure bill heading to President Joe Biden's desk includes billions to help secure the nation's power grid from a growing range of threats, and specifically has $1 billion earmarked to help state, local and tribal governments protect sensitive systems from hackers.
- The legislation also includes $100 million for a Cyber Response and Recovery Fund to support "federal and non-federal entities" impacted by a significant hacking incident, according to Sen. Gary Peters, D-Mich., the chairman of the Homeland Security and Governmental Affairs Committee. It would also grant new authority to the Department of Homeland Security (DHS) in the event of a significant cyber attack or imminent threat.
- "Extreme partnerships" between the federal government and private sector will be necessary to protect an increasingly decentralized grid, U.S. Department of Energy (DOE) Deputy Secretary David Turk said Wednesday at a cybersecurity event hosted by the Solar Energy Industries Association (SEIA).
Securing the nation's electric grid will require a whole-of-government approach alongside deep partnerships with utilities and the energy supply chain, Turk said. Funding included in the bipartisan bill can help develop and maintain that, he added.
The House voted 228-206 on Friday to approve a $1.2 trillion infrastructure bill that includes a wide range of investments in the power grid. Turk spoke two days ahead of the vote, and the programs he discussed were included in the final bill.
According to the White House, the infrastructure bill includes $50 billion to secure infrastructure from climate change and cyberattacks.
That is "a huge amount of funding to allow us to build the kinds of grids, the resilient grids, the cyber secure grids, that we need in our country," Turk said.
He pointed to the need to build "actionable partnerships" similar to DOE's security accelerator, which aims to develop zero-trust cyber solutions for clean energy systems. The accelerator will utilize the National Renewable Energy Lab's Advanced Research on Integrated Energy Systems platform to simulate how hackers might attack, with Berkshire Hathaway Energy and Xcel Energy providing input from industry.
"The other thing that's important, especially on the cybersecurity side, we need to share information ... in a way that we've not really done, from the public side and the private side," said Turk.
"Easier said than done," he added. "We need to make sure we have systems to declassify information in ways that are useful and relevant for the private sector actors out there so that they can take [the] protections that they need. And we need the private sector to be forthcoming with us so that we have that information."
"I'm worried that we're not going to collaborate as deeply and as quickly as we need to, in order for us to be successful," he said.
Provisions in the infrastructure bill provide funding to help local, state and tribal governments deter attacks. There is also $21 million in funding for the newly created office of the National Cyber Director, said Sen. Peters.
"Recent cyber-attacks have hit everything from government offices to critical infrastructure companies," Peters said in a statement. The infrastructure bill will "strengthen cybersecurity in local communities across the nation, safeguard Americans' personal information, and provide our national security agencies with more resources to deter attacks and help public and private entities, such as critical infrastructure companies, recover from them."
Peters also said he helped secure provisions to "create an authority for the Secretary of Homeland Security, in consultation with the [National Cyber Director], to declare a Significant Incident in the event of an ongoing or imminent attack that would impact national security, economic security, or government operations."
With that declaration, the U.S. Cybersecurity and Infrastructure Security Agency could "coordinate federal and non-federal response efforts," said Peters, and allow the secretary of DHS access to the Cyber Response and Recovery Fund.
The bill's funding for power and water system resiliency is encouraging, said Mark Carrigan, senior vice president of process safety and OT cybersecurity at Hexagon PPM.
"Implemented properly, this program could make a considerable difference by making our critical infrastructure more resilient to events that are inevitable - hurricanes, droughts, floods, and cyber-attacks," Carrigan said in a statement. He also warned that the funding must be spent carefully.
If the program of investments is implemented improperly, "taxpayers could end up spending a lot of money but still find themselves without power for a long time after an employee accidentally opens the wrong email that grants access to the wrong people," he said.
More funding to help secure critical infrastructure is also included in the reconciliation package still being debated by lawmakers, said Turk. It includes $110 billion "all focused on clean energy manufacturing, and bolstering our domestic production of clean energy," he said.
So far, the U.S. electric sector has been relatively successfully in maintaining grid reliability in the face of daily attacks, said Kate Marks, acting deputy assistant secretary of infrastructure security and energy restoration in DOE's Office of Cybersecurity, Energy Security and Emergency Response.
"But as the sector evolves ... we know that it's become an increasingly attractive target to our cyber adversaries," said Marks, also speaking at the SEIA event. The growth of distributed renewables presents specific challenges as well.
"With an increasingly geographically dispersed energy system with increasingly interconnected systems ... we really see a multi-threat environment with the potential for additional cascading impacts during a disruption," Marks said. "That really complicates the security landscape that we're dealing with."