The State of New York has released a series of proposed cybersecurity regulations for water and wastewater systems across the state.
Governor Kathy announced the proposals in a public release on July 22, which contain separate operational technology (OT) security requirements for water management firms from the New York State Department of Health (DOH) and New York State Department of Environmental Conservation (DEC).
In coordination, the New York Department of Public Service (DPS) published proposed information technology security regulations for water-works corporations, other public utilities and cable television companies.
The proposed rules, which are now open for public comment, are designed to bolster the cyber resiliency of critical water systems, amid rising attacks on this sector.
The agencies worked together to align definitions and provisions within each set of requirements and minimize duplicative and conflicting rules.
The regulations are designed to align with relevant guidance issued by federal agencies, including the US Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA).
Alongside the regulations, a new funding program and technical assistance for securing water systems will be established by the Environmental Facilities Corporation (EFC).
Governor Hochul commented: “Cyber-attacks on critical infrastructure can have devastating impacts on communities, and we must act now to defend our water and wastewater systems with the same urgency and rigor we bring to other critical sectors.”
She continued: “These new regulations and grant programs reflect our commitment to protecting public health and safety while helping under-resourced entities modernize for a digital age.”
Public comments will be accepted by the DEC until September 3, 2025, DOH until September 14 and DPS until September 14.
Once adopted, regulated entities will have until January 1, 2027 to comply with DEC and DOH regulations and until January 1, 2026 to comply with PSC regulations.
What the New Requirements Entail
Department of Health (DOH)
The DOH rules apply to community water systems that serve more than 3300 people, with some specific provisions for systems that serve 50,000 people.
The proposal includes establishing requirements for cybersecurity vulnerability analysis.
The rules also outline baseline requirements for a cybersecurity program. This program must be able to fulfil functions such as regulatory reporting requirements, provide authentication and access management, maintain a cyber asset inventory and monitor and log network activity.
All applicable water systems must incorporate a cybersecurity incident response plan and report incidents to the DOH within 24 hours. Additionally, they must take a minimum of one hour of cybersecurity training every three years.
Department of Environmental Conservation (DEC)
The DEC provisions apply to wastewater facilities across the state. They contain several baseline cybersecurity controls, including procedures for access control and authentication consistent with the principle of least privilege.
Other controls relate to password security, multi-factor authentication (MFA) and implementing a cybersecurity vulnerability management process.
Wastewater facilities will also be required to separate OT systems from IT systems.
Incident response plans must be developed, with incidents reported orally to the regional water engineer within 24 hours and a written report within 30 days.
Department of Public Service (DPS)
The DPS rules apply to all public utility and cable television companies serving 50,000 customers or more.
These organizations must develop a cybersecurity policy which implements measures such as data masking, MFA and access controls. It must also involve a plan to respond and recover from cyber-attacks.
Additionally, covered entities must employ a chief information security officer (CISO) who makes yearly reports to the company’s leadership on the state of cybersecurity preparations.
Rising Threats to the Water Sector
Experts have highlighted growing cyber risks in the water sector in recent years, with threats ranging from financially motivated groups to disruptive attacks from nation-state groups.
A Semperis report in April 2025 found that over three-fifths of US and UK water and electricity firms were targeted by cyber-attacks in the past year, with a majority suffering serious disruption.
In August 2024, the US Government Accountability Office (GAO) urged the Environmental Protection Agency (EPA) to address cyber risks to water and wastewater systems. The GAO highlighted significant security risks in the sector, including the prevalence old technologies that are difficult to update with cybersecurity protections and growing connectivity between OT and IT systems.
High-profile incidents impacting water services include an attack on Jersey-based operator American Water in October 2024, which disrupted billing systems.
In September 2024, Arkansas City, Kansas, reported that its water treatment facility experienced a cybersecurity incident, prompting a temporary switch to manual operations.
No tags.
