How to fund your water utility cybersecurity efforts — and why it's so urgent.

Designed for water and wastewater utilities seeking to secure their systems and acquire funding for further protection, Secure Systems: Fortifying Cybersecurity for Utilities is a series of articles addressing the unique challenges utilities face when establishing robust cybersecurity.

Water and wastewater utilities may be concerned about mounting cybersecurity threats and beginning to consider what steps need to be taken to secure their systems, including identifying funding sources. But they may not know where to start. In addition, finding the energy and resources to pursue funding for this complex challenge is difficult. What water utility needs another knot to untangle? Utilities have their hands full keeping up with PFAS regulations, emerging contaminants of concern, the task of replacing or updating aging infrastructure (all of which can require the pursuit of grants and funding), and more.

That said, a great way to start tackling cybersecurity is available: the State and Local Cybersecurity Grant Program, or SLCGP. The grant program was created specifically to provide funding for cybersecurity, but it is novel and may seem more difficult to navigate because of its unfamiliarity.

SLCGP isn’t administered by the United States Environmental Protection Agency (USEPA), a typical water utility funding channel. Unlike funding sources from USEPA - the Clean Water State Revolving Fund, Drinking Water State Revolving Fund, and the upcoming (expected in fall of 2024) Midsize and Large Drinking Water System Infrastructure Resilience and Sustainability Program - SLCGP is uniquely devoted to cybersecurity needs. It also provides a starting point for cybersecurity measures beyond funding for cybersecurity projects. The SLCGP is both an important funding source and a security resource for water utilities.

There’s no sense in panicking, but it isn’t wise to sugarcoat, either: cybersecurity for water utilities is an urgent issue. Now is the right time to get started. Because of the criticality and growing number of cyber threats targeting water utilities, they are uniquely qualified for SLCGP funding; it’s clear that these systems are vulnerable. In short, SLCGP is an alternate supply of funding utilities can and should tap into.

Here’s what water utilities need to know about the SLCGP, who’s eligible, what project types are included, and who to contact to get state-specific information.

Two years ago, in September of 2022, $1 billion of funding from the Bipartisan Infrastructure Law was allocated for a new cybersecurity grant program: SLCGP. This first-of-its-kind program is administered by the Federal Emergency Management Agency (FEMA), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), the section of the United States Department of Homeland Security overseeing national cybersecurity and infrastructure protection.

State, local, and territorial (SLT) governments, along with public educational institutions are eligible to receive this funding. The SLCGP 2023 notice of funding opportunity (NOFO) defines local government as “a county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under state law), regional or interstate government entity, or agency or instrumentality of a local government; an Indian tribe or authorized tribal organization, or in Alaska a Native village or Alaska Regional Native Corporation; and a rural community, unincorporated town or village, or other public entity.”

The $1 billion funding is being dispersed to these eligible entities throughout the country over a four-year period. In FY 2022, $185 million of funding was available. In FY 2023, $374 million of funding was available. Congress designated $300 million for FY 2024, though the exact amount (taking out funds that will pay to administer the grant and evaluate programs, etc.), has not yet been announced.

SLCGP funding can be used for projects that fall under four broad categories that span the cybersecurity life cycle: planning, assessments, monitoring/implementation, and training. Utilities could seek funds for planning projects, risk and vulnerability assessments, patch and software monitoring, or IT professional cybersecurity training, for example.

Because the purpose of SLCGP is to help SLT governments secure their networks against cybersecurity threats, 80% of grant funds must benefit local governments, and 25% is designated for rural areas specifically. In FY 2023, cost sharing was 20% for single entities and 10% for a multi-entity application.

Under SLCGP, each state has a designated State Administrative Agency (SAA) that applies for, distributes, and manages cybersecurity funding. The SAAs that manage the funds vary from state to state. The SAA could be the state’s Office of Information Technology, Emergency Management or Homeland Security, or Department of Public Safety, for example. Utilities can identify their state’s SAA on FEMA’s state-by-state SAA contact list.

Each state’s requirements for SLCGP are slightly different, which adds an additional wrinkle to the process of getting in line for funding. It can be difficult to find the state requirements spelled out online. Water utilities should start by contacting the person listed on FEMA’s SAA contact list.

As for the requirements themselves, some aren’t as difficult to implement as people might imagine. For example, a relatively easy first step for water utilities is to change all passwords from the default for operational technology (OT) systems, which include programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems, and any other industrial control systems (ICS).

Another common SLCGP requirement or recommendation is that utilities migrate their network from .com or .org to .gov domain. In addition to being a sign of official status that increases trust in SLTs, the .gov domain provides extra protection, like two-factor authentication and oversight from CISA. This step takes more work than changing all default passwords. But it is fairly straightforward. And in addition to aligning a utility with the requirements for SLCGP funding, it helps secure their systems - which is the ultimate goal.

For further details about SLCGP and cybersecurity best practices, CISA’s fact sheet is a great resource. Water utilities can also receive free cyber vulnerability scanning from CISA - another good place to start and something that can help utilities get on the path to meeting SLCGP requirements.

Applying for SLCGP funds is about more than hoping to obtain grant money for projects.

It’s a step towards securing utilities’ critical systems and protecting the communities they serve as much as it is the pursuit of grant funding.