• Capitol Core Group

Preventing Cyber-Attacks: Water Agencies at Front of Line for Critical Infrastructure Funding

June 28, 2021

Written by Michael W. McKinney, Founding Partner at Capitol Core Group

On June 24th, a bipartisan group of Members of Congress and President Biden handed water utilities across the nation a desperately needed helping hand when it comes to ramping up their cybersecurity protocols and financing their infrastructure projects. The announced Bipartisan agreement would allocate $55 billion for water infrastructure, $20 billion for financing and $47 billion for resiliency projects, which now includes cybersecurity implementation. The framework represents the largest long-term investment in our country in nearly a century.

The need for cybersecurity enhancements at US water agencies has never been more apparent. Americans are now more aware than ever about the increasing vulnerabilities US utilities face. These attacks affect our everyday lives, from long waits at the pump to the poisoning of our water supply. The catastrophes averted in the Bay Area water hack, the Florida Oldsmar Water Plant hack and the well-known Colonial Pipeline attack highlighted the welcomed focus on cybersecurity spending. The events should serve as a wakeup call to water utilities that a few undetected keystrokes could prove fatal.

At both federal and state levels, policymakers are now seeing cybersecurity investments as part of the requirements of local agencies receiving infrastructure dollars. With infrastructure spending packages at the federal and state levels now totaling more than a trillion-dollars, policymakers have made clear that investment in water infrastructure, coupled along with cybersecurity measures is a priority. The billions of dollars being authorized for needed infrastructure and cybersecurity improvements throughout the U.S., the ability for local agencies to demonstrate cybersecurity plans for the eventual “what if” scenario is paramount to obtaining federal and/or state funding for needed projects. The first signals came from Transportation Secretary Pete Buttigieg. On Wednesday May 12th he said that cybersecurity “has to be core to how we secure our critical infrastructure” and that “recipients of funding from the administration’s infrastructure package would have to detail how hacks will be prevented.” While the Nation has always thought in these terms for energy and water resilience at our military installations, we now must apply that same criterion to local agency resilience in the face of cyber threats which could cripple operations.

Beyond federal spending, states are seeing the need for physical and digital infrastructure investments as well. California alone has slated $5.1 billion in water infrastructure financing. The money will be used to help combat the current drought, implement the Sustainable Groundwater Management Act and update choked water infrastructure which limits flow between certain regions in the State. Other states are providing similar investments. Much of these funds are provided through the federal CARES Act and updating cybersecurity requirements will be a string attached to the funding.


This is a “tipping point.” The alarming increase in cybersecurity incidents during the pandemic, the Solar Winds hack, Oldsmar, Hafnium, Colonial Pipeline, and the now-revealed JBS and San Francisco Bay area attacks put significant pressure on policymakers to act fast. It seems there is a new hack every week and these threats will not dissipate. As intractable as many federal cybersecurity problems seem, the money focus is clear, and early adapters of additional cybersecurity measures will be at the head of the line for federal and state infrastructure spending. According to Anne Neuberger, cybersecurity advisor at the National Security Council “There has been a significant hike in the frequency and size of ransomware attacks. The threats are serious, and they are increasing. We urge you to take these critical steps to protect your organizations and the American public.”

Following cyberattacks on U.S. companies, government agencies, schools, and hospitals during the COVID- 19 pandemic saw the first increase in cybersecurity spending. Spending was quadrupled by the Trump Administration in response to the Solar Winds attack with an emphasis on the Nation’s supply chains. The Biden Administration has now set its foot on the floor re-doubling spending on cybersecurity, advancing CISA/NIST timelines to 180-days and placing emphasis on items from certifications to continuous monitoring. $2.9 billion is currently in the federal spending pipeline for cybersecurity and a portion of the $47 billion in the infrastructure spending bills will be allocated for cybersecurity implementation. The exact requirements and allocations are still being formed and since forewarned is forearmed smaller utilities should be keeping a watchful eye on the new protection levels and what money is available from the federal or state government to implement those protections.

preventing water utility cyber attack

“Our nation’s airlines, large utilities, big data companies, and larger corporations have been preparing for these cyberattacks. But we are finding that smaller entities, especially water agencies, are often surprised by the level of protection that is now being required,” stated Tina Parmer Senior Sales Lead at Entrust one of the nation’s leading digital security and issuance systems providers. “It is now not a matter of if an attack will occur on a utility system, it is a matter of when it will occur on their systems and what protections are in place to deal with that attack.” The current trend in policy is to push entities to reach for the next level of cybersecurity no matter where they are now.

Putting solutions into the right hands: Early focus on supply chain compromises, such as the SolarWinds hack, underscored the demand for communication about flaws in hardware and software. Ensuing hacks ranging from Colonial to “Hafnium,” immediately broadened the public policy focus beyond supply chain to utilities and other critical infrastructure.

Federal and state policymakers are requiring investments in network security, third party risk management (TPRM), and vulnerability testing. Utilities should understand the intense demand for these funds and need a strategy to communicate with congressional authorizers and appropriators. To assist in obtaining funding, utilities should consider enlisting a firm experienced in navigating the complex federal and state funding process.

Michael W. McKinney is President of Capitol Core Group, a federal and state lobbying firm specializing in water infrastructure funding and data access/protection in the insurance and transportation industries. Capitol Core specializes in obtaining federal and state funding and represents water agencies in the western United States.