The U.S. Environmental Protection Agency (EPA) has proposed $19.1 million in funding for its Information Security Program in fiscal year 2027, representing a $9.6 million increase over 2026 levels, to strengthen cybersecurity protections across water systems, support controls and secure implementation of emerging technologies, including AI.
The proposal would expand the EPA’s Drinking Water Infrastructure Resilience Grant Program to include dedicated cybersecurity funding, enabling water systems to upgrade infrastructure, improve defenses, and enhance operational resilience against cyber threats. The agency also plans to continue providing technical assistance and support to states, Tribes, and local utilities responsible for water system operations.
The initiative comes as federal agencies continue to identify cybersecurity vulnerabilities in water and wastewater systems, which rely on interconnected operational and IT environments. Is also comes after the WH’s proposed budget suggests slashing the EPA’s budget by 52%, to $4.2 billion.
Doc McConnell, Head of Policy and Compliance, Finite State:
“We know that US critical infrastructure is a visible target for our adversaries. It shouldn’t be a soft target too. It’s reassuring to see that the EPA is planning greater investment in the resilience and cybersecurity of our drinking water, especially given recent announcements about Iran-affiliated cyber actors targeting our water sector.
“I hope that Congress appreciates the urgency of this threat and understands that these types of investments are national security imperatives, not just for the water sector, but across all our critical infrastructure. Infrastructure operators across the country need additional resources to understand their risk, secure their systems, and respond quickly to incidents when they occur.”
Phil Wylie, Senior Consultant & Evangelist, Suzu Labs:
“EPA is clearly signaling that water system cybersecurity is now a critical infrastructure priority, not just an IT concern. The proposed increase, especially with dedicated funding tied to drinking water resilience, is a meaningful step. But it comes against the backdrop of a significantly reduced overall EPA budget, so the real challenge will be whether utilities and states have the resources and operational capacity to translate that funding into measurable security improvements.”
Damon Small, Board of Directors, Xcape, Inc.:
“The EPA’s proposed $19.1 million cybersecurity budget for FY 2027, a nearly 100% increase, is a drop in the bucket compared to the systemic vulnerability of U.S. water infrastructure, yet it signals a critical shift toward direct federal intervention.
“By attempting to embed cybersecurity funding into the Drinking Water Infrastructure Resilience Grant Program, the agency is finally moving past “voluntary guidance” to address the chronic underfunding of operational technology (OT) security in small and medium-sized utilities. However, this progress is threatened by a paradoxical White House proposal to slash the overall EPA budget by 52%.
“A move that would likely gut the very personnel needed to oversee these new grants and technical assistance programs. For security leaders and utility executives, the immediate priority remains securing the IT/OT boundary and remediating default credentials on Internet-exposed controllers (PLCs), as geopolitical actors continue to exploit these low-hanging fruits.
“Relying on federal grants that may be dead on arrival in Congress is not a strategy; instead, utilities must leverage existing State Revolving Funds (SRFs) and CISA’s local grant programs to harden assets before the 2027 fiscal cycle begins. All of this comes on the heels of reports that cyberattacks from the Middle East against US critical infrastructure are on the rise.
“Asking the EPA to defend national water systems while cutting half its staff is like asking a lifeguard to watch the pool from the parking lot.”
Given how critical and vulnerable that this infrastructure is, they need this and more funding. Otherwise things could easily go sideways in terms of this infrastructure getting pwned by someone.
Like this:
Like Loading...
Related
This entry was posted on April 16, 2026 at 2:25 pm and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
EPA proposes $19M cybersecurity funding increase to protect U.S. water systems
The U.S. Environmental Protection Agency (EPA) has proposed $19.1 million in funding for its Information Security Program in fiscal year 2027, representing a $9.6 million increase over 2026 levels, to strengthen cybersecurity protections across water systems, support controls and secure implementation of emerging technologies, including AI.
The proposal would expand the EPA’s Drinking Water Infrastructure Resilience Grant Program to include dedicated cybersecurity funding, enabling water systems to upgrade infrastructure, improve defenses, and enhance operational resilience against cyber threats. The agency also plans to continue providing technical assistance and support to states, Tribes, and local utilities responsible for water system operations.
The initiative comes as federal agencies continue to identify cybersecurity vulnerabilities in water and wastewater systems, which rely on interconnected operational and IT environments. Is also comes after the WH’s proposed budget suggests slashing the EPA’s budget by 52%, to $4.2 billion.
Doc McConnell, Head of Policy and Compliance, Finite State:
“We know that US critical infrastructure is a visible target for our adversaries. It shouldn’t be a soft target too. It’s reassuring to see that the EPA is planning greater investment in the resilience and cybersecurity of our drinking water, especially given recent announcements about Iran-affiliated cyber actors targeting our water sector.
“I hope that Congress appreciates the urgency of this threat and understands that these types of investments are national security imperatives, not just for the water sector, but across all our critical infrastructure. Infrastructure operators across the country need additional resources to understand their risk, secure their systems, and respond quickly to incidents when they occur.”
Phil Wylie, Senior Consultant & Evangelist, Suzu Labs:
“EPA is clearly signaling that water system cybersecurity is now a critical infrastructure priority, not just an IT concern. The proposed increase, especially with dedicated funding tied to drinking water resilience, is a meaningful step. But it comes against the backdrop of a significantly reduced overall EPA budget, so the real challenge will be whether utilities and states have the resources and operational capacity to translate that funding into measurable security improvements.”
Damon Small, Board of Directors, Xcape, Inc.:
“The EPA’s proposed $19.1 million cybersecurity budget for FY 2027, a nearly 100% increase, is a drop in the bucket compared to the systemic vulnerability of U.S. water infrastructure, yet it signals a critical shift toward direct federal intervention.
“By attempting to embed cybersecurity funding into the Drinking Water Infrastructure Resilience Grant Program, the agency is finally moving past “voluntary guidance” to address the chronic underfunding of operational technology (OT) security in small and medium-sized utilities. However, this progress is threatened by a paradoxical White House proposal to slash the overall EPA budget by 52%.
“A move that would likely gut the very personnel needed to oversee these new grants and technical assistance programs. For security leaders and utility executives, the immediate priority remains securing the IT/OT boundary and remediating default credentials on Internet-exposed controllers (PLCs), as geopolitical actors continue to exploit these low-hanging fruits.
“Relying on federal grants that may be dead on arrival in Congress is not a strategy; instead, utilities must leverage existing State Revolving Funds (SRFs) and CISA’s local grant programs to harden assets before the 2027 fiscal cycle begins. All of this comes on the heels of reports that cyberattacks from the Middle East against US critical infrastructure are on the rise.
“Asking the EPA to defend national water systems while cutting half its staff is like asking a lifeguard to watch the pool from the parking lot.”
Given how critical and vulnerable that this infrastructure is, they need this and more funding. Otherwise things could easily go sideways in terms of this infrastructure getting pwned by someone.
Share this:
Like this:
Related
This entry was posted on April 16, 2026 at 2:25 pm and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.