US Senate passes infrastructure bill, funds cybersecurity to address critical infrastructure needs

The U.S. Senate passed on Tuesday a bipartisan infrastructure bill following several months of negotiations, which will help boost infrastructure resiliency in the country, already plagued by several cybersecurity incidents affecting its critical infrastructure sector. The bill, called the Infrastructure Investment and Jobs Act (IIJA), now moves to the U.S. House of Representatives for consideration.

The IIJA includes the committee-passed surface transportation reauthorization bills from the Commerce and Environment and Public Works Committees, the Drinking Water and Wastewater Infrastructure Act passed by the Senate, and the Energy Infrastructure Act approved by the Energy and Natural Resources Committee, according to a Lexology blog post.

The Senate has allocated over US$1.9 billion in cybersecurity funds, as part of the roughly $1 trillion bipartisan infrastructure bill. The funds will go toward securing critical infrastructure, helping vulnerable organizations defend themselves and providing funding for a key federal cyber office and other initiatives.

As part of the IIJA, the power and grid sector scored big with a bounty of $65 billion and the bill S.2377, titled, ‘Energy Infrastructure Act,’ passed in the Senate. The legislation sponsored by Senate Energy and Natural Resources Committee Chairman Joe Manchin, a Democrat from West Virginia, authorizes funding and programs across a host of fuel sources and technologies, as well as funding for Western Water infrastructure.

The infrastructure bill also portioned out $47.2 billion for building resiliency, which includes funding for cybersecurity to address critical infrastructure needs, waste management, flood and wildfire mitigation, drought, and coastal resiliency, ecosystem restoration, heat stress and weatherization.

“Our bipartisan bill will help West Virginia, and every other state in the nation, address the infrastructure needs of our nation while creating good-paying jobs and growing the economy,” Senator Manchin said in a statement. “This type of investment hasn’t been made in three decades.”

​​The Energy Infrastructure Act includes various provisions aimed at promoting and incentivizing enhanced physical and cybersecurity of the electric grid, apart from setting up voluntary programs, providing grants to utilities to respond to threats and promoting the use of advanced technologies. It also seeks to enhance grid security through public-private partnerships. 

The Secretary of Energy, the Secretary of Homeland Security, and other stakeholders deemed appropriate would establish a new program to promote the voluntary adoption of physical and cybersecurity support and best practices for the electric grid, according to the Energy Infrastructure Act. It also authorizes the Secretary of Energy to require all funding recipients to submit, prior to issuance of funding, a cybersecurity plan that demonstrates the cybersecurity maturity of the recipient in the context of the project for which the funding is provided, and establishes plans for cybersecurity maintenance and improvements throughout the life of the relevant project.

The legislation will also lead to the establishment of a $250 million R&D (research and development) program, called ‘Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program,’ for the energy sector to develop advanced cybersecurity applications and technologies. In addition, it will set up a $50 million program aimed at enhancing emergency response and preservation of the grid.

The Act also sought to set up a voluntary program, called Energy Cyber Sense Program, to test cybersecurity products and technologies intended for use in the bulk-power system. It also directs the Federal Energy Regulatory Commission (FERC) to promulgate a rule incentivizing investments in cybersecurity technologies and threat information sharing. 

The legislation also met several electric co-op priorities, including support for clean energy technologies, including carbon capture utilization and storage, nuclear energy and hydropower, substantial funding to boost broadband deployment, and funding for grid modernization. It also contained provisions to increase physical and cybersecurity through public-private partnerships and other programs.

The Act also included programs to promote grid resiliency, including $5 billion for resiliency grants to supplement existing grid hardening efforts, reduce the risk of power lines causing a wildfire, and reduce the likelihood and consequences of resilience events.

The National Rural Electric Cooperative Association (NRECA) welcomed the bipartisan infrastructure deal that helps electric cooperatives address several critical issues, while noting that additional assistance is needed to support rural communities. NRECA is the national trade association representing nearly 900 local electric cooperatives. 

“This bipartisan proposal is a meaningful first step and carries significant benefits for rural families and businesses, particularly those who lack access to high speed broadband,” NRECA CEO Jim Matheson said in a press statement. “We commend the senators from both sides of the aisle who worked together on this compromise, and we applaud their commitment to the bipartisan pursuit of solutions.” 

“This funding will help build stronger communities, ensure they are better prepared for future disasters, and allow for adaptation and resilience investments to address the effects of climate change,” Secretary of Homeland Security Alejandro N. Mayorkas said in a statement on the passage of the bipartisan infrastructure bill. “The bill also includes additional funding for cybersecurity and provides DHS with the resources needed to support response and recovery efforts for public and private entities impacted by cyberattacks.”  

“By providing assistance and funds prior to and after a cyber attack, there is a much better chance that damage can be limited and recovery will be much faster, with less of a chance of losing staff who are overworked,” Erich Kron, security awareness advocate at KnowBe4, wrote in an emailed statement. “Cyber crime is no longer an annoyance, but a very serious threat to our critical infrastructure and government, and this is a step in the right direction.” 

“While the assistance is welcome, it will take time to get it in place. Until then, these organizations should concentrate on shoring up against the biggest threats they face, including educating employees on how to spot phishing emails that spread malware and ransomware as well as scams, and securing remote access portals that cyber criminals target in an effort to gain access to the network with Multi-Factor Authentication (MFA) and strict account lockout processes for failed login attempts,” Kron added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.