|

EPA Seeks $19.1 Million Boost to Protect U.S. Water Systems from Cyber Attacks

ByInnoVirtuoso

What would happen if the next cyberattack didn’t target hospitals or pipelines—but your town’s drinking water? That’s not a hypothetical anymore. The Environmental Protection Agency (EPA) just asked for a significant budget bump to harden U.S. water systems before a headline-grabbing breach hits. As reported by ClearanceJobs, the EPA is proposing a $19.1 million increase for its FY2027 Information Security Program, with a laser focus on shoring up drinking water infrastructure against cyber threats.

If you run a municipal utility, work in OT/SCADA security, or simply care that the water flowing from your tap remains safe and reliable, this matters. The sector is sprawling, underfunded, and full of legacy control systems that weren’t designed for today’s cyber adversaries. And those adversaries—often well-resourced nation-states—are probing.

Here’s what the funding request means, where it might go, how it could change cybersecurity baselines for water utilities of all sizes, and what you can do right now to get ahead of it.

The Short Version

  • The EPA is asking for a $19.1 million increase in FY2027 to bolster cybersecurity, including grants and technical assistance for drinking water systems.
  • The request is $9.6 million more than the FY2026 level and aligns with broader federal priorities around AI, critical infrastructure security, and supply chain risk.
  • Expect more help for states, Tribes, and local utilities to upgrade legacy OT/SCADA systems, implement endpoint protection, and strengthen incident response.
  • Rising nation-state activity, including Chinese and Russian probing of U.S. critical infrastructure, is accelerating the push to standardize cyber baselines across a fragmented sector.

What’s in the EPA’s FY2027 Cybersecurity Ask?

According to the ClearanceJobs report and public EPA budget framing, the agency’s proposal centers on three goals:

1) Fund resilience where it matters most
– Targeted support for Drinking Water Infrastructure Resilience Grants to upgrade outdated operational technology (OT) and supervisory control and data acquisition (SCADA) systems.
– Direct investments in endpoint protection, network monitoring, and incident response capabilities that reduce dwell time and blast radius.

2) Expand technical assistance across the map
– Increased hands-on help for states, federally recognized Tribes, and local utilities that operate critical water infrastructure.
– Guidance, assessments, playbooks, and training that translate policy into field-ready controls.

3) Align with all-of-government FY27 priorities
– Emphasis on AI-enabled security tooling and governance as federal agencies strengthen defenses.
– Deeper collaboration with partners like the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) to tackle supply chain risks and sector-wide vulnerabilities.

This isn’t just about software licenses. It’s about building a sustainable, repeatable security program that meets real-world constraints in small and mid-sized utilities—staffing, budgets, and 24/7 operational demands.

For background on EPA budget planning, see the agency’s Plan and Budget resources.

Why Water Utilities Are Uniquely Exposed

Water and wastewater utilities face a confluence of cyber risk factors that make them attractive targets:

  • Legacy OT/SCADA everywhere: Controllers designed a decade or two ago rarely shipped with modern authentication, encryption, or logging.
  • Flat networks: IT and OT environments often share networks, so a compromised business workstation can become a pivot into plant controls.
  • Remote access risk: Remote operations, vendor maintenance, and convenience tools create quiet back doors if not strictly managed.
  • Tight maintenance windows: You can’t just “patch Tuesday” a chlorine pump or filtration control system in the middle of a treatment cycle.
  • Resource constraints: Many utilities serve small populations with thin IT/OT teams and limited security expertise.

We’ve seen how this can go sideways. In 2021, an attacker gained remote access to a water plant in Oldsmar, Florida, and briefly altered chemical levels before an operator reversed the change. The incident showcased both attacker intent and the sector’s operational resilience—but it was also a wake-up call. Read Reuters’ coverage of the Oldsmar intrusion.

And nation-state interest is not theoretical. U.S. officials have warned about Chinese and Russian activity probing critical infrastructure, including water. CISA’s joint advisory on China-linked “Volt Typhoon” operators living off the land in U.S. networks outlines the playbook defenders must anticipate: stealth, persistence, and prepositioning. See CISA’s AA23-144A advisory.

Where the Dollars Would Go (and What Changes on Day One)

If Congress approves the EPA’s request, here’s how utilities could see a near-term benefit:

  • Asset inventory and network mapping
    The first control in any OT environment is knowing what you have. Grants could fund passive discovery tools to build an authoritative list of PLCs, HMIs, historians, remote I/O, and vendor access paths.
  • Endpoint protection for IT and OT-adjacent gear
    Modern EDR/XDR on business workstations and engineering laptops reduces the chance of an initial compromise becoming an OT incident.
  • OT network visibility and anomaly detection
    Network sensors tuned for ICS protocols give operators early warning of suspicious changes, unauthorized commands, or lateral movement.
  • Segmentation and secure remote access
    Firewalls and industrial DMZs to separate IT and OT, plus zero-trust access and multifactor authentication (MFA) for vendors and operators.
  • Incident response readiness
    Runbooks, tabletop exercises, and 24/7 monitoring support. Many utilities will opt for managed detection and response (MDR) to fill staffing gaps.
  • Backups and recovery
    Immutable backups for critical engineering workstations and configurations, with regular restoration tests to validate recovery time objectives.
  • Training and phishing resilience
    Human error remains a leading factor in intrusions. Funding helps deliver role-based training for operators, engineers, and administrative staff.
  • Supply chain risk management
    Stronger procurement language, vendor risk assessments, and validation of firmware/software integrity for critical control components.

Expect EPA to coordinate these investments with CISA’s free services and guidance, including the Cross-Sector Cybersecurity Performance Goals (CPGs) and ICS-specific resources at CISA ICS.

The AI and Automation Angle in FY27

The EPA’s budget framing aligns with broader government priorities around responsible AI and critical infrastructure security. In practice, that likely means:

  • AI-assisted detection and triage: Using machine learning to flag anomalies in mixed IT/OT environments faster, with fewer false positives.
  • Workflow automation: Streamlining patch prioritization, alert routing, and response playbooks.
  • Governance and risk management: Ensuring any AI used in safety-critical contexts is explainable, well-scoped, and audited.

If your utility explores AI for security operations, anchor your approach in recognized frameworks like NIST’s AI Risk Management Framework and ensure tight human-in-the-loop oversight—especially anywhere near process control.

How Federal Partners Will Amplify Impact

EPA’s cyber push won’t exist in a vacuum. Anticipate expanded touchpoints with:

Together, these partners can help utilities translate new funding into measurable reductions in risk.

A Practical 12-Month Roadmap for Any Water Utility

Whether you expect to apply for grants or not, here’s a one-year plan to harden your environment:

Quarter 1: Establish the foundation
– Build an authoritative asset inventory across IT and OT (passive discovery where possible).
– Enforce MFA for all remote access; remove unsupported remote tools.
– Backups: Create immutable, offline backups of critical systems; test restoration.
– Quick wins: Disable default credentials, remove shared accounts, lock down vendor access.

Quarter 2: Contain and detect
– Implement IT/OT network segmentation with an industrial DMZ; restrict lateral movement.
– Deploy EDR/XDR on all Windows endpoints, especially engineering workstations.
– Add OT network monitoring for ICS protocols; baseline normal traffic.
– Centralize logging (SIEM or MDR) for visibility and alerting.

Quarter 3: Prepare to respond
– Write incident response runbooks that include OT isolation and fail-safe procedures.
– Conduct a ransomware tabletop exercise with plant operators and leadership.
– Patch management: Prioritize internet-facing systems and high-risk OT where vendor-approved.
– Implement privileged access management and just-in-time vendor access.

Quarter 4: Prove resilience
– Conduct a backup-and-restore drill of a critical engineering workstation.
– Validate recovery time objectives for key processes; refine contingency plans.
– Run a red team or purple team exercise focused on OT pivot paths.
– Review supply chain risks; update procurement language and vendor SLAs.

Keep improvements modest, repeatable, and measurable. Complexity is the enemy of reliability in safety-critical environments.

Grant Readiness: What to Prepare Before You Apply

If you plan to seek EPA support, line up your documentation now to accelerate approval and execution:

  • Current-state assessment: Asset inventory, network diagrams, risk register, and gaps against frameworks like NIST CSF or CISA CPGs.
  • Clear scope: Define the systems, sites, or processes to be secured and why.
  • Budget with milestones: Hardware, software, services, training, and O&M costs over 3–5 years.
  • Outcome metrics: Dwell time reduction, MFA coverage, segmentation completeness, backup restore time, percentage of managed endpoints.
  • Partner roles: Internal stakeholders, external integrators, and any shared services (regional SOC, managed OT monitoring).
  • Compliance mapping: Show alignment to NIST CSF 2.0, WaterISAC fundamentals, and relevant state requirements.
  • Sustainment plan: Who operates and maintains the solution after year one?
  • Letters of support: From local leadership, neighboring utilities (for regional projects), state primacy agencies, or Tribal councils.

For context on water infrastructure funding programs more broadly, review EPA’s Water Infrastructure hub and the Drinking Water State Revolving Fund.

Building Standardized Cybersecurity Baselines

The EPA’s request hints at a longer-term goal: raising and standardizing cybersecurity baselines across a highly fragmented sector. That doesn’t mean every utility becomes a mini SOC. It does mean common, evidence-based controls everywhere:

  • Identity: MFA and least privilege for all remote and administrative access.
  • Network: Segmentation between IT and OT with controlled, monitored conduits.
  • Visibility: Centralized logging and OT-aware network monitoring.
  • Resilience: Tested backups and defined recovery playbooks.
  • Governance: Regular risk assessments and executive accountability for cyber risk.
  • Training: Role-based training for operators, engineers, and admins.

Alignment with frameworks will help utilities show (and measure) progress against a recognized yardstick. Start with NIST’s Cybersecurity Framework 2.0, CISA’s CPGs, and AWWA/WaterISAC guidance.

Don’t Forget Supply Chain Security

Water treatment relies on a layered supply chain: chemical suppliers, integrators, OEMs, cloud portals, and remote service vendors. Attackers know this. Build supply chain risk management (SCRM) into your program:

  • Vendor access: Require MFA, session recording, and time-bound access for all third parties.
  • Contract language: Mandate security controls, timely vulnerability notifications, and incident cooperation.
  • Firmware/software integrity: Validate signatures and provenance for critical updates.
  • Sub-tier visibility: Understand who your vendors depend on for key components.

For federal guidance and tools, see CISA’s Supply Chain Integrity resources.

Common Pitfalls (and How to Avoid Them)

  • Buying tools without operators: Don’t deploy EDR or OT sensors without staff or an MDR partner to watch the alerts.
  • Ignoring OT inventory: You can’t defend what you can’t see—inventory is not optional.
  • Flat networks forever: Segmentation fatigue is real, but it’s the difference between nuisance and catastrophe.
  • Default credentials and shared accounts: Attackers love them; auditors find them. Remove both.
  • Untested backups: If you haven’t restored it, you don’t really have it.
  • Shadow remote access: Eliminate legacy remote tools and unmanaged vendor tunnels.
  • Big-bang rip-and-replace: Aim for iterative hardening—minimize downtime and operational risk.

What to Watch Next

  • Budget milestones: Follow House and Senate appropriations activity to see what makes it into the final FY2027 package.
  • EPA program guidance: Expect formal details on eligibility, timelines, and technical priorities if funding is approved.
  • CIRCIA reporting: CISA is finalizing rules for critical infrastructure cyber incident reporting under CIRCIA—watch the CIRCIA page for updates and plan workflows accordingly.
  • Sector advisories: Track CISA and WaterISAC alerts for evolving TTPs targeting water utilities.
  • AI governance: Look for federal AI guidance specific to safety-critical and OT contexts.

FAQs

Q: Who is likely eligible for EPA cybersecurity support?
A: Details depend on final appropriations and program guidance, but expect focus on drinking water systems operated by states, Tribes, and local utilities—the entities responsible for critical public water infrastructure.

Q: How is OT/SCADA security different from IT security?
A: OT prioritizes safety and process continuity. Patching and reboots must align with plant operations; changes can affect physical processes. Controls should be vendor-approved and deployed with extreme care. Visibility and segmentation are critical, but availability and safety trump convenience.

Q: What is a cyber maturity assessment, and do we need one?
A: It’s a structured review of your program (policies, controls, detection, response) against frameworks like NIST CSF 2.0 or CISA’s CPGs. It helps prioritize investments and show progress over time. If you plan to apply for grants, an assessment will strengthen your case.

Q: We’re a small utility. Do we really need a 24/7 SOC?
A: Not necessarily. Many small and mid-sized utilities use managed detection and response (MDR) for continuous monitoring, paired with clear incident runbooks and local escalation procedures.

Q: How do we segment IT and OT without disrupting operations?
A: Start with read-only visibility and well-defined conduits (industrial DMZ). Use firewalls with allow-lists, brokered data flows (e.g., historians), and vendor-approved access methods. Pilot during low-demand windows and document rollback steps.

Q: What about regulatory mandates—are we required to report cyber incidents?
A: Federal incident reporting rules for critical infrastructure under CIRCIA are being finalized by CISA. Monitor the CIRCIA page and coordinate with state primacy agencies for sector-specific requirements.

Q: Is $19.1 million enough to secure the water sector?
A: No single line item can cover a nationwide, highly decentralized sector. But targeted funding—paired with standards, technical assistance, and federal coordination—can drive outsized impact by accelerating the highest-value controls where they’re needed most.

Q: Where can we find sector-specific best practices right now?
A: Start with WaterISAC’s 15 Cybersecurity Fundamentals, AWWA’s Cybersecurity Guidance, and CISA’s Water and Wastewater Systems Sector resources.

The Bottom Line

The EPA’s requested $19.1 million boost for FY2027 is a proactive step to secure the nation’s drinking water against modern cyber threats. It signals a shift from emergency response to sustained resilience—funding practical defenses like segmentation, endpoint protection, incident response, and training while helping utilities upgrade legacy OT/SCADA systems safely.

But funding alone isn’t the win. The win is transforming that funding into measurable risk reduction: fewer flat networks, fewer default credentials, faster detection, tested backups, and clear playbooks that keep clean water flowing no matter what an adversary throws at you.

Don’t wait for the final budget to start. Build your asset inventory, lock down remote access, test restores, and draft your runbooks. Then be ready to scale with grants and federal support as they come online. The safest water systems in 2027 will be those that started hardening in 2026.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!