New York is proposing new cybersecurity regulations for its water and wastewater systems, paired with a US$2.5 million grant program to help offset compliance costs. The initiative would require public water systems to adopt enforceable cybersecurity measures, including formal security programs, risk assessments, and technical safeguards to defend against cyberattacks. The grant is intended to help utilities meet these new obligations and strengthen the security of the state’s water infrastructure.
As part of Governor Kathy Hochul’s 2025 State of the State agenda, the Department of Health was directed to implement enforceable cybersecurity standards for New York’s public water systems. Acting under its authority, the Department proposed new regulations targeting community water systems serving more than 3,300 residents.
The cybersecurity regulations aim to ensure that water systems can provide water to their customers during an emergency by analyzing vulnerabilities and preparing emergency response plans beforehand. The emergency conditions water systems are required to consider has expanded over the years to include terrorist attacks and cybersecurity incidents, in addition to natural hazards.
As part of the proposed rulemaking, New York calls upon larger systems to appoint a qualified executive to oversee their cybersecurity program. It also requires that covered water systems assess the vulnerability to cybersecurity incidents of OT (operational technology) and nonpublic information that impacts or limits a covered water system’s ability to comply with the requirements.
It further sets out the baseline requirements for a cybersecurity program, which must be designed to fulfill statutory and regulatory reporting obligations; provide authentication and access management; maintain a cyber asset inventory; implement defensive architecture to protect OT and nonpublic information from unauthorized access; identify and assess risk for OT and nonpublic information handling; monitor and log network activity for water systems serving a population of greater than 50,000; implement response protocols for breach incidents; and recover from cybersecurity incidents.
Training is also addressed, which mandates that all water operators complete at least one hour of cybersecurity training every three years. The cybersecurity regulations require water systems to integrate a cybersecurity incident response plan into their broader emergency plans. They must also establish that any cybersecurity incident must be reported to the Department of Health within 24 hours, while also dealing with confidentiality and severability. Together, these provisions aim to strengthen the digital defenses of New York’s public water infrastructure and create a consistent security baseline, particularly for larger systems at greater risk of cyber threats.
“As community water systems increase usage of computer-enabled and internet-connected systems, their potential vulnerability to attack increases, as does the attendant risk of public water supply contamination,” the document outlined. “Without effective cybersecurity controls implemented, community water systems may unintentionally increase their risks to disruptive cybersecurity attacks.”
It added that “As geopolitical conflicts escalate, the threat landscape for the water sector becomes more volatile. U.S. adversaries are outpacing the U.S. water sector’s current cybersecurity defenses. Publicly reported cybersecurity incidents in the water sector as well as the U.S. intelligence community illustrate that adversaries are well-resourced to carry out disruptive cybersecurity attacks against the water and wastewater systems across the U.S.”
The proposed rule addresses sector-specific cybersecurity concerns by establishing risk-based baseline cybersecurity requirements. Specifically, community water systems that serve more than 3,300 people will be required to conduct a cybersecurity vulnerability analysis (CVA) at least annually, and within 30 days of major infrastructure changes; establish compliance of a cybersecurity program informed by the CVA; create a cybersecurity incident response plan; report cybersecurity incidents to the Department of Health within 24 hours; train certified water operations staff on cybersecurity hygiene; and report vulnerabilities that may impact or limit a covered water system’s ability to comply with the requirements of the Department within 48 hours of identification.
Additionally, certified operators will be required to complete cybersecurity training approved by the Department for new certifications and renewal certifications. This rule will primarily impact local governments since 318 public water systems that serve more than 3,300 people are owned by local governments, with 37 of those water systems serving a combined wholesale and retail population of greater than 50,000.
Water systems serving a combined wholesale and retail population of greater than 50,000 will be subject to the same requirements, with additional requirements to designate a qualified executive to implement a cybersecurity program and monitor and log network activities in order to detect cybersecurity incidents. A covered water system that has neither physical nor logical connections between OT and IT or external networks is exempt from the cybersecurity requirements.
New York is making funding available to support the water and wastewater sector, including hundreds of millions of dollars in infrastructure grants targeting public health priorities. The $2.5 million cybersecurity grant program, administered by the Environmental Facilities Corporation, will help eligible entities meet the new regulatory requirements. Some no- or low-cost cybersecurity services may also be available to utilities. However, the available funding is unlikely to fully cover the cost of implementing these programs. Any remaining expenses may fall to ratepayers or taxpayers, depending on the size, complexity, and current cybersecurity posture of each covered water system.
The document said that “Because of the wide range of technologies used at community water systems throughout the State, this proposed program uses a flexible regulatory model where covered water suppliers are required to obtain the expertise needed and make changes in accordance with their cybersecurity vulnerability analysis (CVA), either by hiring employees, contracting with cybersecurity experts, or leveraging no and low cost services to improve their cyber posture and implementing baseline cybersecurity controls.”
The Department noted that most water systems supported the proposed cybersecurity regulations and many had already taken steps to strengthen their defenses. However, utilities raised concerns about the financial burden and increased workload, especially as the sector faces a wave of new mandates, including the Consumer Confidence Rule, federal limits on PFAS chemicals, and revised lead-in-drinking-water standards. Stakeholders warned that managing four major regulatory changes at once could stretch resources beyond capacity and jeopardize compliance.
Patrick Miller, president and CEO at Ampyx Cyber, identified in a company blog post that “New York isn’t just regulating cyber risk in the water sector—they’re trying to operationalize it. That’s a direction worth following, and one that deserves real investment and support from both public and private partners.”
He observed that the proposed regulation is loosely aligned with NIST Cybersecurity Framework (CSF), especially the Identify, Protect, Detect, and Respond categories; NIST SP 800-53 and 800-82, as it references similar controls such as access, monitoring, and incident response, though without strict one-to-one mappings; DHS Cyber Performance Goals (CPGs) and EU NIS2 Directive, where it shares core principles such as executive accountability, mandatory incident reporting, and risk-based technical controls for essential service providers.
Miller noted several potential points of contention where debate may arise over the proposed regulation. One concern is the cost burden on smaller utilities. While the state’s grant program offers some support, much of the financial responsibility, particularly for capital-intensive upgrades like network monitoring or system segmentation, is likely to fall on ratepayers or local government budgets.
Another issue he noted is the speed of implementation. The timeline, which calls for full compliance by early 2027, is considered aggressive by infrastructure standards and may be difficult for many systems to meet. Workforce readiness is also a concern. Requiring utilities to designate cybersecurity leads and provide training for operators could strain already limited staffing, especially in rural communities with fewer resources.
Finally, Miller said that there’s the potential for regulatory overlap. In the absence of a unified federal approach from agencies like the EPA or CISA, water systems could face conflicting or redundant requirements, leading to confusion or regulatory fatigue.
“This rule is likely just the beginning. In the absence of a national cybersecurity standard for water systems (after the EPA’s rule was pulled back), states are stepping into the void,” Miller wrote. “New York is setting a precedent that could easily spread to other states facing similar risks and similar political will. For operators, owners, and engineering teams: compliance will not be a one-time event.”
He added that this regulation hints at a continuous model of governance, risk management, and system improvement. “And that’s a welcome shift. But only if we help these organizations build the capacity, not just check boxes.”
In May, Black & Veatch published its 2025 Water Report that provides a layered, unflinching look at the pressures shaping the future of the U.S. water sector. As utilities contend with aging infrastructure, persistent workforce attrition, and the toxic legacy of ‘forever chemicals,’ they also face rising demands linked to digital transformation, artificial intelligence, and cybersecurity threats. The fourteenth edition of the report, grounded in feedback from 680 stakeholders and over a century of utility expertise, outlines an industry standing at a pivotal moment.
