Ever Upward: New York State proposes 'nation-leading cybersecurity minimum standards' for the water sector

New York State has begun the process of mandating baseline cybersecurity standards for water and wastewater systems as it continues to issue enforceable regulations that fill a gap where national federal standards do not yet exist.

Governor Kathy Hochul announced the proposed Wastewater Cybersecurity Rules that will set out "nation-leading" minimum requirements for water sector operators alongside a $2.5m grant programme named Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements (SECURE). She stated:

“Cyber attacks on critical infrastructure can have devastating impacts on communities, and we must act now to defend our water and wastewater systems with the same urgency and rigor we bring to other critical sectors”

A New York State of mind

New York has several leading cybersecurity laws and regulations, notably the SHIELD Act and the NYDFS Cybersecurity Regulation.

The Stop Hacks and Improve Electronic Data Security Act (SHIELD) Act focuses on data breach notification and security requirements for businesses handling the private information of residents, whilst the Cybersecurity Regulation applies to financial institutions regulated by the New York Department of Financial Services, establishing comprehensive cybersecurity programmes and setting out specific structured control requirements.

New legislation has also recently set out cybersecurity requirements for municipal corporations and public authorities.

Despite known targeting of critical water infrastructure by APT threat actors, the sector currently relies on voluntary engagement with the EPA as the Sector-Specific Agency charged with ensuring that operators are prepared for any hazard, including cyber risks.

Previous efforts to integrate cybersecurity into routine water system safety assessments under the Safe Drinking Water Act (SDWA) and related directives failed after states pushed back on Federal laws citing cost implications.

Protecting CNI

Nitin Natarajan, Deputy Director of CISA previously described the water sector as being "under continuous threat by nation-state cyber adversaries and cybercriminal organizations around the globe" but also noted that many operators are "target-rich, cyber-poor."

A cyberattack on U.S. drinking and wastewater systems could potentially produce drinking water with unsafe levels of bacteria or chemicals but getting traction to secure increasingly automated plants is a large and complex challenge.

With nearly 50,000 water systems across the United States and more than 16,000 publicly owned wastewater treatment systems, the sector includes a diverse network of owners and operators ranging from municipal authorities to private entities making it harder to provide universal cybersecurity standards and regulations.

In 2024, a review by the U.S. Government Accountability Office (GAO) found that despite efforts by leading security agencies under the 2022 100-day surge and follow on activities, the sector faced increasing cybersecurity-related risk from nation state actors and many systems remained vulnerable.

Their analysis flagged workforce skill gaps, aging technology and the voluntary nature of making improvements to systems security. And this is where New York has taken up the baton with the proposed cybersecurity standards.

Setting out minimum standards

Under the Proposed Amendments to introduce Wastewater Cybersecurity Rules, regulated water and wastewater systems will be required to:

• Evaluate risks via a cyber vulnerability assessment (CVA)
• Deploy cybersecurity controls including training of staff
• Implement network monitoring and logging
• Develop and maintain response and recovery plans to support continuity of operations
• Report cybersecurity incidents within 24 hours

The requirements are based on the size of the operation and number of customers but may still prove painful for smaller organisations.

Patrick Miller of Ampyx Cyber estimates that additional cybersecurity compliance costs could range between $150,000 and $5 million annually to meet the New York baseline standard but overall, the move to regulating the sector is "a welcome shift" and he expects other states to follow.

He concludes:

This rule is likely just the beginning. In the absence of a national cybersecurity standard for water systems (after the EPA’s rule was pulled back), states are stepping into the void. New York is setting a precedent that could easily spread to other states facing similar risks and similar political will.