In response to escalating cyber threats targeting critical infrastructure, New York State has unveiled proposed regulations aimed at bolstering the cybersecurity of its water and wastewater systems. The New York State Department of Health (DOH) and the Department of Environmental Conservation (DEC) have collaboratively developed these proposals, which are now open for public comment. ([securityweek.com](https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/?utm_source=openai))
Key Provisions of the Proposed Regulations:
1. Risk Assessment and Cybersecurity Controls: Water and wastewater utilities will be mandated to conduct comprehensive risk assessments and implement robust cybersecurity measures to safeguard their operational technology (OT) and information technology (IT) environments. ([securityweek.com](https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/?utm_source=openai))
2. Incident Response and Reporting: Utilities must establish and maintain incident response plans to ensure operational continuity during cyber incidents. Additionally, they are required to report cybersecurity incidents promptly to the relevant state authorities. ([securityweek.com](https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/?utm_source=openai))
3. Network Monitoring and Logging: For larger systems, efficient network monitoring and logging mechanisms are to be implemented to detect and respond to potential cyber threats effectively. ([securityweek.com](https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/?utm_source=openai))
4. Mandatory Cybersecurity Training: Certified wastewater operators will be required to undergo mandatory cybersecurity training to enhance their ability to prevent and respond to cyber threats. ([securityweek.com](https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/?utm_source=openai))
Grant Program and Technical Assistance:
To support the implementation of these regulations, the Environmental Facilities Corporation (EFC) has introduced the Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements (SECURE) grant program. This initiative allocates $2.5 million to assist water and wastewater utilities in conducting cybersecurity risk assessments and implementing necessary security measures. ([its.ny.gov](https://its.ny.gov/news/governor-hochul-announces-new-nation-leading-cybersecurity-regulations-launches-grant-program?utm_source=openai))
Alignment with Federal Guidelines:
The proposed regulations are designed to align with guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA). This alignment ensures consistency with federal standards and addresses the increasing cyber threats to critical infrastructure. ([securityweek.com](https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/?utm_source=openai))
Public Participation and Compliance Timeline:
The DEC has published the proposed documents on its website, inviting public comments until September 3, 2025. The DOH and the Public Service Commission (PSC) will accept feedback until September 14, 2025. Once adopted, regulated entities will have until January 1, 2027, to comply with the DEC and DOH regulations focused on operational technology, and until January 1, 2026, to comply with PSC regulations focused on information technology. ([securityweek.com](https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations/?utm_source=openai))
Context and Rationale:
The water sector has increasingly become a target for cyberattacks, with incidents posing significant risks to public health and safety. A 2023 audit by the New York State Comptroller’s office revealed that many large water systems had outdated vulnerability assessments and emergency response plans, highlighting the need for enhanced cybersecurity measures. ([spectrumlocalnews.com](https://spectrumlocalnews.com/nys/central-ny/ny-state-of-politics/2023/06/28/audit-finds-new-york-can-do-more-to-guard-water-systems?utm_source=openai))
Governor Kathy Hochul emphasized the urgency of these measures, stating, Cyberattacks on critical infrastructure can have devastating impacts on communities, and we must act now to defend our water and wastewater systems with the same urgency and rigor we bring to other critical sectors. ([its.ny.gov](https://its.ny.gov/news/governor-hochul-announces-new-nation-leading-cybersecurity-regulations-launches-grant-program?utm_source=openai))
National Perspective:
The EPA has also recognized the vulnerability of public water systems to cyber threats. In March 2023, the agency released a memorandum stressing the need for states to assess cybersecurity risks at drinking water systems to protect public health. The EPA’s action underscores the national importance of securing water infrastructure against cyber threats. ([epa.gov](https://www.epa.gov/newsreleases/epa-takes-action-improve-cybersecurity-resilience-public-water-systems?utm_source=openai))
Conclusion:
New York’s proactive approach to enhancing the cybersecurity of its water and wastewater systems reflects a broader commitment to protecting critical infrastructure from evolving cyber threats. By seeking public input and providing financial support through the SECURE grant program, the state aims to foster a collaborative effort to safeguard public health and safety.
