Critical Infrastructure Security
Federal Funding Reductions Compromise Grid Security Amid Increasing Nation-State Attacks, Experts Warn
Utility leaders and cybersecurity experts recently cautioned members of Congress that U.S. federal investments in cybersecurity are not sufficient to match the escalating risks posed by nation-state intrusions, particularly as they pertain to the energy sector.
During a session with the House Energy and Commerce subcommittee, executives from investor-owned utilities and national labs reported that Chinese cyber actors have infiltrated U.S. energy infrastructure. They emphasized that the next phase of cyberattacks is likely to exploit existing vulnerabilities, notably within rural utilities and outdated operational technology.
These alarming assessments come as cybersecurity researchers have highlighted a concerning landscape increasingly dominated by advanced persistent threats. Adversaries are learning to embed themselves into operational technology networks, posing a significant risk to critical infrastructure. For years, officials have specifically warned about the potential for “destructive” attacks against essential sectors, exacerbating concerns about the threat posed by state-sponsored actors from China.
Tim Lindahl, CEO of Kenergy, speaking on behalf of the National Rural Electric Cooperative Association, pointed out that many co-ops lack adequate resources to bolster their cybersecurity measures. He noted that modern security systems demand substantial upfront investments and ongoing funding, which undermines their preparedness. Lindahl stressed that Department of Energy grants designated for rural and municipal utility cybersecurity have not yet been distributed, leaving these organizations vulnerable.
The $250 million grant initiative, which is authorized through fiscal year 2026, requires timely authorization and disbursement of funds to ensure rural communities do not fall behind in cybersecurity readiness. Xcel Energy’s Sharla Artz echoed these concerns, representing the Edison Electric Institute, calling attention to the necessity of public-private cybersecurity partnerships that are currently strained by complex and ever-evolving threats. Artz highlighted the need for increased government funding to support initiatives like the Energy Threat Analysis Center in responding to these challenges.
Furthermore, the Biden administration’s proposed fiscal 2026 budget indicates a significant reduction in federal cybersecurity spending at the Department of Energy, slashing contributions from $200 million in fiscal 2025 to $150 million in 2026. This represents a worrying 25% cut, impacting critical areas including risk management tool development and emergency operations.
Funding for the DOE’s grid modernization efforts is set to face even sharper declines, with allocations for the Grid Deployment Office dropping from approximately $60 million to $15 million—a staggering 75% reduction that threatens federal support for technical assistance programs designed to secure aging infrastructure.
The witnesses at the hearing expressed support for the Cybersecurity Risk Information Sharing Program (CRISP), a crucial public-private partnership aimed at facilitating the exchange of threat intelligence between grid operators and the federal government. Zachary Tudor from Idaho National Laboratory cautioned that the current dialogue around funding takes place within a context of unprecedented cyber threats targeting critical infrastructure, where adversaries exploit vendor relationships to maintain persistent access, often bypassing traditional defenses.
