New York unveils new cyber regulations, $2.5 million grant program for water systems

Water and wastewater entities in New York will soon have access to a new $2.5 million grant program to help them mitigate the costs of forthcoming cybersecurity regulations. 

On Tuesday, state officials announced the new funding pool alongside the proposed regulations, which would require regulated water and wastewater systems to establish cybersecurity programs, conduct risk assessments and implement technical safeguards to prevent and respond to cyberattacks.

Regulated water organizations also would have to create and test response and recovery plans that ensure continued operations in the event of a cyberattack. The regulations would apply to community water systems that serve more than 3,300 people, with additional requirements for organizations serving more than 50,000 people. 

Multiple New York state agencies will accept public comments on the rules until September and then regulated entities will have until the start of 2027 to comply with the finalized regulations. Officials did not say when the grant program will open for applications but the $2.5 million pool is listed in the state’s budget for fiscal 2026. 

Gov. Kathy Hochul said the state was forced to act because cyberattacks on critical infrastructure can “have devastating impacts on communities.”

“These new regulations and grant program reflect our commitment to protecting public health and safety while helping under-resourced entities modernize for a digital age,” she said in a statement. 

The grant program will offer funding to cover cybersecurity risk assessments and other measures to help water organizations comply with the proposed regulations. 

The governor’s office said the regulations are “threat-informed, risk-centric, and cost-balanced minimum standards.”

Hochul ordered agencies at the start of this year to coordinate a plan to develop and fund the cybersecurity measures. The Democrat has made cybersecurity a priority during her tenure as governor, empowering the state’s attorney general to go after organizations that allowed breaches to occur and passing legislation to protect the state’s energy grid and hospitals from cyberthreats. 

The agencies sought to minimize duplicative regulations and streamline rules — aligning them with guidance released by federal regulators at the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA).

Nuts and bolts

After auditing municipalities over the last five years, the New York State Comptroller determined that the cyber maturity of the water sector is low — a conclusion that reflects assessments on the national level by the EPA. 

As more community water systems adopt technology and adversaries outpace the water sector’s cybersecurity defenses, the threat landscape has become more volatile, officials said. There have been several ransomware attacks and nation-state campaigns targeting the water industry, including one launched by Iranian cyber groups in 2023 and 2024.  

According to the proposed regulations, 318 publicly owned water systems in the state serve more than 3,300 people, with 37 of those water systems serving a combined population of greater than 50,000. 

For those between 3,300 and 50,000, the rules include:

• Mandated reporting of cyber incidents to the Department of Health within 24 hours
• Annual vulnerability analysis 
• Compliance with a state-run cybersecurity program;. An incident response plan; 
• Training for water operations staff on cybersecurity
• A requirement that certified operators complete cybersecurity training for new certifications and renewal certifications

Systems serving more than 50,000 people will have the same rules but will also need to have an executive on staff tasked with implementing cybersecurity programs and monitoring network activity for cyber incidents.  

The rule notes there are exemptions for covered water systems that do not have physical or logical connections between operational technology and information technology or external networks, as well as for covered water systems at low risk of public health consequences related to a cybersecurity incident.

Potential costs

Officials estimate that under the proposed rules cybersecurity will cost up to $150,000 per year for entities serving between 3,300 and 50,000 people, and as much as $5 million per year for larger suppliers. 

Some required tasks, like cyber asset inventory, will also be costly for water systems. State officials said an inventory would cost up to about $25,000 for smaller entities and may reach $135,000 for larger ones. 

The systems used to log activity that will be necessary for larger systems will cost up to $54,000.

While the state believes the grants, in addition to free or low-cost services, will help cover some of these costs, officials admitted the funding “will likely not cover the full costs of these cybersecurity programs, and the remaining costs of these changes or upgrades, if any, may be borne by ratepayers or taxpayers depending on the size and/or complexity of the covered water system and their existing cybersecurity program.”

State officials held “engagement sessions” this year with local water authorities across New York as well as the American Water Works Association, the NYS American Water Works Association, the NY Rural Water Association and others.

Most water systems were supportive of the regulatory requirements, according to state officials, because many have already implemented some of the measures listed. As expected, several water utilities raised concerns about the costs and additional workload from already-strapped employees. 

The effort in New York comes at a particularly pivotal time for public sector cybersecurity as the new Trump administration has signaled a desire to step back from helping states’ critical infrastructure entities manage cyberthreats. 

Past efforts by the Biden administration to force water entities to comply with baseline cybersecurity regulations were shot down by lawsuits from the American Water Works Association (AWWA), Republican lawmakers and other industry groups. 

Kevin Morley, an official at the AWWA, declined to comment on the proposed rule in New York but claimed that their legal efforts to stop past federal cybersecurity regulation were centered around technicalities and disputes over the process used to enact the regulations. 

When asked whether New York is worried about similar lawsuits from the water industry, Colin Ahern — the state’s first ever chief cyber officer — told Recorded Future News that the rules are in accordance with past New York legislation, which he said “provides clear, consistent procedures for rulemaking, including public comment periods that allow for stakeholder feedback.” 

“Each agency will ensure that all public comments submitted in response to the proposed rules are thoroughly reviewed and addressed before they are finalized, to ensure that the Governor's vision for a safer New York is realized,” he said.