In a significant move to strengthen critical infrastructure, the State of New York has released a set of proposed cybersecurity regulations aimed at safeguarding water and wastewater systems. These draft rules are now open for public comment and represent a coordinated effort among several state agencies to increase cyber resilience across utility sectors.

The proposals, jointly issued by the New York State Department of Health (DOH) and the Department of Environmental Conservation (DEC), establish minimum cybersecurity standards for water infrastructure. Their focus is on protecting operational systems from the growing threat of sophisticated cyberattacks.

Additionally, the Department of Public Service (DPS) has introduced complementary cybersecurity measures for waterworks corporations, cable TV providers, and other public utilities. These proposals are supported by a new grant program from the Environmental Facilities Corporation (EFC), which will also offer technical guidance to utilities.

The DOH, DEC, and EFC collaborated to align terminology and ensure regulatory consistency. The regulations also draw from established federal cybersecurity frameworks, particularly those from CISA and the Environmental Protection Agency (EPA), to address both information technology (IT) and operational technology (OT) vulnerabilities.

Key Requirements in the Proposed Regulations

Under the proposed guidelines, water and wastewater facilities will need to:

• Implement robust cybersecurity controls
• Monitor and log network activity effectively
• Assess cybersecurity risks across their systems
• Maintain comprehensive incident response plans
• Report cybersecurity incidents promptly
• Provide mandatory cybersecurity training for certified wastewater operators

The draft regulations are available on the DEC’s official website, and public feedback is encouraged. The deadline for submitting comments is September 3, 2025, for the DEC proposals, and September 14, 2025, for the DOH and PSC rules.

If adopted, the timeline for compliance will vary:

• Utilities must comply with DOH and DEC regulations (focused on OT) by January 1, 2027.
• Compliance with PSC regulations (focused on IT) is required by January 1, 2026.

The DEC emphasized the importance of these new tools and training resources, stating that they will streamline access to sector-specific cybersecurity guidance. Facilities are also urged to take advantage of state and federal offerings, including free cyber risk assessments and training programs.

Cyberattacks on water infrastructure have increased in recent years, highlighting the urgent need for enhanced protections. The U.S. government has responded by launching initiatives aimed at bolstering the cybersecurity posture of utilities.

“Cyberattacks targeting critical infrastructure can cause serious harm to our communities. It’s essential that we approach the defense of water systems with the same urgency as other vital sectors,” said Governor Kathy Hochul. “These new regulations and grant programs demonstrate our commitment to public health and safety while helping underfunded facilities modernize for a digital future.”

Source: https://www.securityweek.com/new-york-seeking-public-opinion-on-water-systems-cyber-regulations