The United States Environmental Protection Agency (EPA) has proposed increasing its fiscal year 2027 (FY27) budget, which would allow the agency to expand its Drinking Water Infrastructure Resilience Grant Program. That would include dedicated cybersecurity funding, enabling the EPA to upgrade legacy infrastructure, strengthen defenses, and enhance operational resilience against cyber threats.
The EPA has also announced plans to continue providing technical assistance and support to states, Tribes, and local utilities responsible for water system operations.
“In FY 2027, the Agency is proposing $19.1 million for the Information Security Program, an increase of $9.6 million over the FY 2026 enacted level to support responsible implementation of AI initiatives and critical cybersecurity solutions,” the EPA explained in its FY27 budget released earlier this month.
“This funding will allow for the necessary controls to use leading-edge technologies within the environment and prevent malicious actors from leveraging these technologies to disrupt business operations,” the agency added.
The request is part of an FY27 border budget that highlights AI investments and water security, following reports of cyber threats against critical U.S. infrastructure.
“EPA is clearly signaling that water system cybersecurity is now a critical infrastructure priority, not just an IT concern,” explains Phil Wylie, senior consultant and evangelist at cybersecurity provider Suzu Labs.
However, the White House’s proposed budget suggests slashing the EPA’s budget by 52%, to $4.2 billion.
Wylie told ClearanceJobs that the proposed increase, especially with dedicated funding tied to drinking water resilience, is a meaningful step.
“But it comes against the backdrop of a significantly reduced overall EPA budget, so the real challenge will be whether utilities and states have the resources and operational capacity to translate that funding into measurable security improvements,” Wylie suggested.
Water, Water Everywhere – It’s an Easy Target
The call for additional cybersecurity funding comes as federal agencies continue to identify cybersecurity vulnerabilities in water and wastewater systems and in other critical infrastructure that rely on interconnected operational and IT environments.
“We know that U.S. critical infrastructure is a visible target for our adversaries. It shouldn’t be a soft target too,” warned Doc McConnell, head of Policy and Compliance at cybersecurity provider Finite State.
“It’s reassuring to see that the EPA is planning greater investment in the resilience and cybersecurity of our drinking water, especially given recent announcements about Iran-affiliated cyber actors targeting our water sector,” McConnell told ClearanceJobs via email.
He added that the hope is that Congress will appreciate the urgency of this threat.
“These types of investments are national security imperatives, not just for the water sector,” McConnell continued, “but across all our critical infrastructure. Infrastructure operators across the country need additional resources to understand their risk, secure their systems, and respond quickly to incidents when they occur.”
A Drop In the Bucket?
Even with the increase, there is concern that the EPA may still lack the resources to adequately protect its vital infrastructure .
“The EPA’s proposed $19.1 million cybersecurity budget for FY 2027, a nearly 100% increase, is a drop in the bucket compared to the systemic vulnerability of U.S. water infrastructure, yet it signals a critical shift toward direct federal intervention,” said Damon Small, board of directors, at Los Angeles-based IT Security firm Xcape, Inc.
Small also told ClearanceJobs that by embedding cybersecurity funding into the Drinking Water Infrastructure Resilience Grant Program, the agency is finally moving past “voluntary guidance” to address the chronic underfunding of operational technology (OT) security in small and medium-sized utilities.
He also noted that the progress could be threatened by a paradoxical White House proposal to slash the overall EPA budget by 52%.
“A move that would likely gut the very personnel needed to oversee these new grants and technical assistance programs,” added Small. “For security leaders and utility executives, the immediate priority remains securing the IT/OT boundary and remediating default credentials on Internet-exposed controllers (PLCs), as geopolitical actors continue to exploit these low-hanging fruits.”
This is not a new problem either. A March 2024 EPA report revealed pervasive cybersecurity failures across the sector, including poor password management and a lack of risk assessments, highlighting that existing funding has not been sufficient to secure the infrastructure.
In addition, the Government Accountability Office warned that the water sector has made only limited investments in cybersecurity because it is often voluntary, while utilities prioritize funding for basic water safety, leaving little for cyber protections.
The new funding will help address, but not fully solve the threats that this critical infrastructure now faces.
“Relying on federal grants that may be dead on arrival in Congress is not a strategy; instead, utilities must leverage existing State Revolving Funds (SRFs) and CISA’s local grant programs to harden assets before the 2027 fiscal cycle begins,” said Small. “All of this comes on the heels of reports that cyberattacks from the Middle East against US critical infrastructure are on the rise. Asking the EPA to defend national water systems while cutting half its staff is like asking a lifeguard to watch the pool from the parking lot.”
