New York proposes stronger cyber controls for water utilities

New York Gov. Kathy Hochul on Tuesday announced her state will soon begin holding its water and wastewater utilities to a more thorough set of cybersecurity standards. They’ll also have access to a new $2.5 million grant program to help cover the cost of meeting the new regulations, which are likely to be phased in within the next several months.

A group that included members of the state’s health, environmental conservation and public service departments developed the regulations, and each has published new proposed rules for public review. Colin Ahern, the state’s chief information security officer, said the governor directed the agencies to “harmonize” the regulations, which affect a sector naturally laden with broad health and environmental concerns.

The new proposed regulations would require that all New York water and wastewater utilities serving more than 3,300 people adhere to a host of new cybersecurity measures, including conducting annual cybersecurity vulnerability analyses, establishing formal cybersecurity programs, creating incident response plans, following new incident reporting requirements and training staff on cybersecurity hygiene.

Larger utilities, those serving more than 50,000 people, would additionally be required to designate a staff member who’s responsible for administering a cybersecurity program and monitoring and logging network activity.

None of the requirements are unusual, but they are perhaps overdue. The Environmental Protection Agency’s Office of Inspector General last year warned that 9% of the nation’s public drinking water systems harbor cybersecurity vulnerabilities it labeled “critical” or “high” in importance. Nicolas Evans, the agency’s acting assistant inspector general for investigations, wrote in a report that the risk utilities face in being unable to provide their populations with clean water is “not hypothetical.”

Ahern said New York’s latest move is part of the governor’s ongoing campaign to improve the state’s cybersecurity posture and the reliability of its drinking water. New York has spent $6 billion on clean water infrastructure since 2017, according to Hochul’s office, but Ahern said the new $2.5 million grant program, called the Cyber Resilience Grant Program for Water Systems, is the first he knows of that provides funding exclusively for cybersecurity improvements in the water and wastewater sector.

“People would probably be surprised that no one is requiring these utilities yet to do things like have an incident response plan, put multifactor authentication on remote access, identify vulnerabilities in a timely manner according to the risk assessment,” Ahern said, adding that such facilities are considered valuable targets for a range of bad actors, from politically motivated nation-states to financially motivated ransomware gangs.

There are more than 150,000 public drinking water systems in the United States, and on rare occasions they sustain terrifying cyberattacks. A Russian hacking group last year took credit for attacks against a wastewater treatment plant in Indiana and another water facility in Texas. New Jersey’s American Water Works Company was hit with a cyberattack last October, only forcing it to take some of its administrative systems offline, but each new attack invariably exercises the imaginations of water-drinkers everywhere.

State and local governments have in recent years drawn immense support for their critical infrastructure sectors, both in funding and expertise, from the Department of Homeland Security’s cybersecurity division. And in developing the new proposed regulations, Ahern said, New York’s agencies drew on “performance goals” published by the Cybersecurity and Infrastructure Security Agency, a list of practices thought to be effective at reducing risk.

Ahern said he works “closely” with CISA, along with the FBI, to protect his state’s critical infrastructure — though not all state officials have enjoyed such tight connections in recent times. After seeing one of his websites defaced last week, Arizona Secretary of State Adrian Fontes told CyberScoop that he believes CISA, once a “strong and reliable partner,” has been “weakened and politicized” during Donald Trump’s second term as president.

Ahern stopped short of criticizing CISA, but conceded that there’s “more to do at the federal level,” gesturing at the continued absence of a federal cyber director or a CISA director. (The Senate Homeland Security Committee plans on Thursday to consider Sean Plankey as CISA’s director. Plankey, Trump’s pick, served as head of cyber policy at the National Security Council during the president’s first term.)

“We need the federal government to be effective, so we’ll keep working with them,” Ahern said. “And obviously we won’t be shy to point out when those decisions have ramifications for New Yorkers.”