Critical Infrastructure Security,
Regulation,
Standards, Regulations & Compliance
State Seeks Public Input on New Reporting Rules and Regulations for Water Sector
New York State has initiated the development of mandatory cybersecurity standards for its water and wastewater systems, a sector that has increasingly become a target for cyber threats. Governor Kathy Hochul announced that the state is seeking public feedback on proposed regulations designed to establish “nation-leading cybersecurity minimum standards.” These measures aim to bolster defenses against rising threats posed by foreign adversaries and cybercriminals.
The draft regulations will primarily affect community water systems serving over 3,300 residents, with specific components aimed at systems servicing at least 50,000 people. Key proposals include a requirement for incident reporting within 24 hours, regular training for personnel, and vulnerability assessments. Wastewater systems are expected to implement access controls, multifactor authentication, and incident response plans, elevating their cybersecurity posture.
In conjunction with these regulations, the state has introduced a $2.5 million cyber grant program named “Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements” (SECURE). This initiative is intended to provide competitive grants for funding risk assessments and other efforts that align with the proposed rules, ensuring that water systems are equipped to strengthen their cybersecurity and maintain continuity in clean water delivery.
Hochul noted that the objective of these new regulations and the grant program is to support “under-resourced entities” in modernizing their cybersecurity practices in this digital age. The proposed guidelines stem from a collaborative effort among various state agencies that includes rules set forth by the Departments of Health and Environmental Conservation, as well as proposals from the Department of Public Service related to utility and cable company cybersecurity.
Concerns regarding cyberattacks on water systems have intensified, particularly following a significant breach at the largest regulated water and wastewater utility in the U.S., affecting over 14 million individuals. While hackers have not yet compromised water quality, the event underscores the existential threats facing an industry historically viewed as secure. The digitization of these critical infrastructures has opened them up to vulnerabilities previously deemed inconceivable.
Experts in the field emphasize that water systems have insufficient alternatives but to integrate remote network access due to budget constraints and the need for modern maintenance practices. While the standard approach suggests keeping operational technology isolated from IT networks, the realities of evolving technology often result in unmonitored connections developing over time.
The Biden administration aimed to incorporate cybersecurity into routine safety evaluations for water systems but retracted these plans after legal challenges from several state attorneys general. Industry groups also expressed opposition, leading the EPA to rescind the mandate and instead recommend voluntary cybersecurity reviews at the state level.
As part of New York’s proposed measures, all publicly-owned treatment facilities will be required to implement baseline controls consistent with the six core functions outlined in the National Institute of Standards and Technology cybersecurity framework: govern, identify, protect, detect, respond, and recover. Most systems will need to meet stringent cybersecurity requirements by 2027, while utilities regulated by the Public Service Commission must comply by 2026, allowing adequate time for operators to assess risks and build the necessary technical capabilities.
To support local systems in navigating these new requirements, New York plans to expand its community assistance teams and launch a centralized cybersecurity hub offering resources and training. In 2024, the Cybersecurity and Infrastructure Security Agency, in collaboration with the EPA and FBI, provided a guide for water sector incident response, which encourages operators to establish strong cybersecurity standards and enhance information-sharing practices.
Stakeholders and the public are invited to submit comments on these proposed regulations until September 3, 2025, to the Department of Environmental Conservation.
