New York cyber regulations for water organizations to take effect in 2027

Water and wastewater entities in New York will have to comply with new cybersecurity regulations by the end of the year.

Proposed last July and recently approved, the new rules include mandatory cybersecurity training for certified operators, incident response plans, reporting requirements and a designated cyber lead for larger water utilities. 

To help water organizations meet the new baseline cyber standards, the state created a $2.5 million grant program and is offering technical assistance at no cost. 

Regulated water organizations also would have to create and test response and recovery plans that ensure continued operations in the event of a cyberattack. 

The regulations will apply to community water systems that serve more than 3,300 people, with additional requirements for organizations serving more than 50,000 people.

The grant program was intended to address a key complaint from the water industry that it lacks funding. Unlike other critical infrastructure sectors like electricity, water and wastewater utilities do not make enough of a profit to afford costly cybersecurity tools and services. Water organizations are also reluctant to raise prices on local customers.

Barbara Van Epps, executive director of the New York Conference of Mayors, noted that most water and wastewater systems are run by local governments and that the financial support was key to helping them strengthen cyber defenses. 

Water industry lobbyist groups have previously fought federal efforts to institute cybersecurity regulations, nation-state campaigns from Iran and China targeting the water sector over the last two years have prompted states to take action and better protect the vital resource. 

Michaela Lee, the acting chief cyber officer for New York, said the state could not wait for “stalled federal mandates while cyber threats intensify.” 

She referenced China’s Volt Typhoon campaign as a premier threat affecting New York water systems. Federal cyber investigators continue to find Chinese state hackers breaking into critical infrastructure across the U.S. and taking steps that indicate they are planning for destructive action.

“As the threat environment escalates and we see global adversaries pre-positioning themselves within U.S. critical infrastructure to use our essential services as leverage during a crisis, New York is taking action to ensure municipalities have the roadmap and resources they need to successfully defend themselves from these attacks,” Lee said. 

The state is offering $50,000 for entities to undertake cybersecurity assessments and up to $100,000 for cybersecurity upgrades. 

New York officials noted that they worked with the U.S. Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency to make sure the rules align with federal guidance and do not duplicate existing regulations. 

Lee said the effort is part of a state-wide, sector-by-sector implementation of new cyber standards designed to fortify the state’s critical infrastructure. They started with the financial and healthcare sectors before moving to water and wastewater, she explained. 

“As drinking water infrastructure controls become increasingly digitized, safeguarding these systems is essential,” said James McDonald, commissioner at the New York State Department of Health. 

“These regulations strengthen our defenses, enhance monitoring and ensure public drinking water systems are prepared to respond quickly and effectively to potential incidents.”