How do you defend a power plant, a water-treatment facility or a transit system when the money runs out before the threats do? That stark dilemma framed a recent conversation on Lock It Down with Security Magazine between Associate Editor Taelor Sutherland and Chetrice Romero, a senior cybersecurity advisor at Ice Miller — and it highlights a harsh reality: many of the systems that keep communities alive are defended on shoestring budgets while adversaries grow more sophisticated.
Background matters. Over the past decade attackers have shifted from commodity cybercrime to operations that deliberately target operational technology (OT) and industrial control systems (ICS), with real potential for physical harm. Incidents against pipelines and water-treatment systems have demonstrated both intent and capability to cause cascading impacts on communities and regional economies. Meanwhile, owners and operators — often municipal utilities, small private firms or regional agencies — face capital limits and aging equipment that make rapid, wholesale upgrades unrealistic.
Romero and other practitioners outline a clear, pragmatic response: when funds are limited, choose measures that reduce the most risk per dollar and execute them consistently and measurably. The approach is less about perfection than about prioritized resilience.
Concrete priorities that recur in the discussion include these fundamentals:
/ Maintain an accurate asset inventory — you cannot protect what you do not know you have.
/ Prioritize protections for high-impact assets and single points of failure.
/ Implement basic network segmentation to separate OT from IT.
/ Enforce strong access controls, including multifactor authentication and least-privilege accounts.
/ Keep internet-facing systems patched or apply compensating controls when patches lag.
/ Provide role-based cybersecurity training; phishing still leads initial access attempts.
/ Develop and exercise incident-response plans and tabletop scenarios to shorten recovery time.
/ Leverage managed security services, ISACs and available federal/state grant programs to extend capability.
Each of those measures carries tradeoffs: segmentation can disrupt operations while being implemented; multifactor authentication may create friction for field engineers; outsourcing to managed-service providers requires careful contract and supply-chain scrutiny. Still, these are pragmatic choices that magnify protection when resources are tight. Romero’s framing, echoed across industry guidance, is that disciplined execution of a few high-impact controls beats scattershot or purely checkbox compliance.
From a technologist’s viewpoint, automation and telemetry are force multipliers. Centralized logging, properly tuned endpoint detection and response, and automated patch workflows demand modest upfront investment but lower ongoing labor costs and improve time-to-detect and time-to-contain — metrics that matter more for real resilience than a stack of compliance certificates.
Policymakers and legal advisers see a complementary role for governance and incentives. Financial assistance through federal programs (including CISA-administered grants) and state homeland security funding can close gaps for smaller utilities; voluntary incentive programs that tie funding to measurable risk-reduction tend to produce smarter investments than unfunded mandates. Contracts and insurance also shift and clarify financial risk, but they are not substitutes for operational controls.
Users and frontline workers raise a practical concern: security that interferes with mission-critical workflows will be bypassed. Usability and operational continuity must be built into any plan; otherwise, well-meaning protections collapse into procedural workarounds that create fresh vulnerabilities.
Adversaries, for their part, adapt quickly to defender constraints. When defenders cannot replace legacy controllers, attackers probe for exposed services, weak credentials and social-engineering vectors. That pattern was reflected in federal advisories noting that many successful compromises exploit known vulnerabilities and misconfigurations rather than exotic zero-day flaws — a strong argument for getting basic hygiene right first.
There is also an equity dimension: many small or rural utilities serve populations with limited fiscal capacity. Without targeted funding and shared-service models, resilience can become a two-tier landscape where wealthier regions are protected while others remain vulnerable. Public-private partnerships, regional procurement consortia and ISAC participation can spread costs and expertise across many operators, improving security at scale.
What does a realistic roadmap look like for leaders with constrained budgets? Practitioners recommend these sequential steps: establish and maintain inventories and criticality assessments; apply compensating controls to high-risk legacy systems; automate telemetry and central logging where feasible; regularly exercise incident response; and aggressively pursue external funding and shared services. The aim is not to make every system impenetrable but to raise the bar so attacks are harder, detection is faster and recovery is quicker.
One last pragmatic point: measure what matters. Metrics such as time-to-detect, time-to-contain and mean-time-to-recover give leaders actionable insight into whether scarce dollars are buying real resilience, while check-the-box compliance too often obscures persistent risk.
When every dollar counts, smart prioritization — not platitudes about unlimited budgets — will determine whether water stays safe, power stays on and hospitals remain operational in a crisis. If resources are finite and adversaries keep probing, can we afford anything less than disciplined, measurable resilience?
Source: https://www.securitymagazine.com/articles/101892-protecting-critical-infrastructure-with-limited-funding
