New York Moves to Strengthen Water System Cybersecurity
▼ Summary
– New York has proposed new cybersecurity regulations for water and wastewater systems, including separate OT security requirements from DOH and DEC, and IT security rules from DPS.
– The regulations aim to enhance cyber resiliency amid rising attacks, align with federal guidance, and include a new funding program for water system security.
– DOH rules require vulnerability analysis, cybersecurity programs, incident response plans, and training for water systems serving over 3,300 people, with stricter provisions for larger systems.
– DEC rules mandate baseline controls like access management, MFA, and OT/IT separation for wastewater facilities, plus incident reporting within 24 hours.
– DPS rules apply to utilities and cable companies serving 50,000+ customers, requiring cybersecurity policies, a CISO, and annual reporting on preparedness.
New York is taking decisive action to protect its water infrastructure from growing cyber threats with comprehensive new security regulations. The state has introduced a coordinated set of proposed rules aimed at strengthening defenses for water and wastewater systems, addressing vulnerabilities that could disrupt essential services.
Governor Kathy Hochul unveiled the initiative, which involves separate but aligned cybersecurity requirements from three key agencies: the New York State Department of Health (DOH), the Department of Environmental Conservation (DEC), and the Department of Public Service (DPS). These regulations target different segments of the water sector, ensuring a unified approach to safeguarding critical infrastructure.
The proposed rules, now open for public feedback, emphasize cyber resilience by mandating measures such as vulnerability assessments, incident response plans, and workforce training. They also align with federal guidelines from agencies like the EPA and CISA, reinforcing a national security framework.
To support implementation, the Environmental Facilities Corporation (EFC) will provide funding and technical assistance, particularly for smaller or under-resourced utilities. Governor Hochul stressed the urgency of these measures, stating, “Cyber threats to our water systems pose real dangers to public health and safety, we must act with the same vigilance as we do for other critical infrastructure.”
The EPA and GAO have repeatedly warned about outdated technology and insufficient protections in water infrastructure. New York’s proactive stance sets a precedent for other states to follow, ensuring resilience against both criminal and state-sponsored threats.
Public comments on the proposals will be accepted through September 2025, with compliance deadlines extending into 2026 and 2027. The move underscores New York’s commitment to modernizing critical infrastructure security before threats escalate further.
(Source: InfoSecurity)
