Critical Infrastructure Security

Federal Grants for Water Utility Cybersecurity: What You Need to Know Before 2026 Expires

By Matt Lucas, Founder | | 8 min read

Billions of dollars in federal funding for water and wastewater cybersecurity are set to expire. If your utility has not started the application process, the window is closing fast. Here is a clear breakdown of every major grant program, what they cover, and how to move before the money is gone.

Time-Sensitive

The Infrastructure Investment and Jobs Act (IIJA) bonus funding for water cybersecurity expires in 2026. Once these appropriations lapse, the next funding cycle is uncertain. Utilities that have not applied are running out of time.

Why This Matters Now

Water and wastewater systems across the United States are under active cyberattack. This is not theoretical risk.

In November 2023, Iranian-affiliated hackers compromised the Municipal Water Authority of Aliquippa, Pennsylvania. They accessed a Unitronics programmable logic controller (PLC) used to regulate water pressure. CISA issued an advisory confirming the breach and warning that similar Unitronics devices were being targeted at water facilities nationwide.

In early 2024, a Chinese state-sponsored group known as Volt Typhoon was found embedded in critical infrastructure networks across the country, including water systems. FBI Director Christopher Wray testified that these intrusions were pre-positioned for disruption during a future conflict.

Most small and mid-size water utilities lack dedicated cybersecurity staff. Many run operational technology (OT) systems that were never designed to be connected to the internet. Federal grant programs exist specifically to close this gap, but they require utilities to act.

The Four Major Grant Programs

1. Clean Water State Revolving Fund (CWSRF)

Wastewater Systems

The CWSRF provides low-interest loans and, in many cases, principal forgiveness for wastewater infrastructure projects. Under the IIJA, cybersecurity improvements are explicitly eligible expenses.

What it covers:

  • Network segmentation between IT and OT systems
  • SCADA/ICS security assessments
  • Intrusion detection and monitoring for industrial control systems
  • Incident response planning
  • Staff cybersecurity training

How to apply: Through your state's environmental or water quality agency. Each state administers its own CWSRF program with different deadlines and requirements.

2. Drinking Water State Revolving Fund (DWSRF)

Drinking Water Systems

The drinking water equivalent of CWSRF. The IIJA added $11.7 billion in supplemental DWSRF funding, with a significant portion earmarked for disadvantaged communities that can receive 100% principal forgiveness.

What it covers:

  • Cybersecurity vulnerability assessments
  • Secure remote access implementation
  • Backup and recovery systems for SCADA
  • Physical security upgrades tied to cyber-physical risks
  • Compliance with America's Water Infrastructure Act (AWIA) risk assessments

Key detail: Many small systems (serving under 10,000 people) qualify for additional subsidization, which means grants rather than loans.

3. FEMA Homeland Security Grant Program (HSGP)

State and Urban Area Grants

FEMA's HSGP includes two sub-programs relevant to water utilities: the State Homeland Security Program (SHSP) and the Urban Area Security Initiative (UASI). Both can fund cybersecurity projects for critical infrastructure.

What it covers:

  • Cybersecurity planning and assessments
  • Equipment purchases (firewalls, network monitors, secure PLCs)
  • Training and exercises (tabletop cyber incident exercises)
  • Hiring cybersecurity personnel (time-limited)

How to access: HSGP funds flow through state Administrative Agencies (SAAs). Water utilities typically need to coordinate with their state homeland security office. The utility does not apply directly to FEMA.

Important: FEMA requires that a minimum percentage of HSGP funds go toward cybersecurity. For FY2024, this was 7.5%. States that have not allocated this threshold are actively looking for eligible cybersecurity projects.

4. State and Local Cybersecurity Grant Program (SLCGP)

Dedicated Cyber Funding

Created by the IIJA specifically for cybersecurity, the SLCGP allocated $1 billion over four years for state, local, tribal, and territorial governments to address cyber risks. Water utilities operated by local government entities are eligible.

What it covers:

  • Developing and implementing cybersecurity plans
  • Assessing and mitigating cybersecurity risks and threats
  • Implementing the NIST Cybersecurity Framework
  • Multi-factor authentication, endpoint detection, network monitoring
  • Workforce development and cybersecurity training

Key requirement: States must have a CISA-approved Cybersecurity Plan to receive SLCGP funds. Most states have already submitted these plans. Check with your state's cybersecurity office for eligibility.

Rural priority: At least 25% of SLCGP funds must go to rural areas, and at least 25% must support local governments. Small water utilities in rural counties are strong candidates.

What You Should Do This Month

If your utility has not engaged with these programs yet, here is the priority list.

  1. 1. Get a cybersecurity assessment done. Every grant application is stronger with a documented assessment that identifies specific vulnerabilities. Many programs require one. This is the single most important first step, and it positions you for multiple funding streams at once.
  2. 2. Contact your state revolving fund administrator. Ask specifically about cybersecurity eligibility under CWSRF or DWSRF. Many states have not fully allocated their IIJA supplemental funds.
  3. 3. Reach out to your state homeland security office. Ask about HSGP and SLCGP allocations for water sector cybersecurity. States are required to spend a minimum on cyber, and many are looking for shovel-ready projects.
  4. 4. Document your OT environment. Know what SCADA/ICS systems you run, how they connect to your network, and what remote access exists. This inventory is the foundation for any grant application.
  5. 5. Do not wait for the next fiscal year. IIJA bonus funding has a finite timeline. Once it lapses, the baseline funding levels drop significantly. The utilities that move now get funded. The ones that wait may not.

What a Cybersecurity Assessment Covers

A proper ICS/SCADA cybersecurity assessment for a water utility typically includes:

This deliverable serves double duty: it satisfies grant requirements and gives your utility a concrete action plan to reduce risk.

For Utility Managers

RedEye Security specializes in ICS/SCADA cybersecurity assessments for water and wastewater utilities. Our assessments are designed to support federal grant applications and comply with AWIA requirements. We work with utilities of all sizes, from small rural systems to regional authorities.

Free Scoping Call for Water Utilities

We will review your current security posture, identify which grants you qualify for, and outline a realistic timeline to get funded. 30 minutes, no obligation.

Schedule a Scoping Call

Additional Resources

Matt Lucas is the founder of RedEye Security and Etairos. RedEye Security specializes in ICS/SCADA cybersecurity for critical infrastructure, with a focus on water and wastewater systems. Contact: [email protected]