Wedoany.com Report on Mar 14th, Water and wastewater treatment entities in New York State, USA, must comply with new cybersecurity regulations by 2027. Proposed and approved last July, these regulations include mandatory cybersecurity training for certified operators, incident response plans, reporting obligations, and the appointment of a cybersecurity lead for large water companies.

To help water agencies meet cybersecurity benchmarks, the state has launched a $2.5 million funding program and offers free technical assistance. Regulated entities must develop and test response and recovery plans to ensure operations can be maintained during a cyberattack. The regulations apply to community water systems serving more than 3,300 people, with additional requirements for agencies serving over 50,000.

The funding program addresses the funding shortage in the water sector. Compared to other critical infrastructure sectors like electricity, water and wastewater treatment utilities have lower profit margins, making it difficult to afford expensive cybersecurity tools and services, and they are reluctant to raise prices for local customers. Barbara Van Epps, Executive Director of the New York State Conference of Mayors, emphasized that most water systems are operated by local governments, and financial support is crucial for strengthening cyber defenses.

New York Acting Chief Cyber Officer Michaela Lee stated that the state cannot wait for "stalled federal mandates while cyber threats are intensifying." She pointed out that escalating global cyber threats prompted New York to act, ensuring municipalities have the resources and roadmap needed to defend against attacks. The state provides $50,000 for cybersecurity assessments and up to $100,000 for upgrades.

New York officials said they are working with the U.S. Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency to ensure the rules align with federal guidance and avoid duplicating existing regulations. Lee explained that this effort is part of implementing new cybersecurity standards sector by sector, aiming to strengthen critical infrastructure, starting with finance and healthcare, and expanding to water and wastewater treatment.

New York State Department of Health Commissioner James McDonald said, "As controls for drinking water infrastructure become increasingly digitized, protecting these systems is critical. These regulations strengthen defenses, enhance monitoring, and ensure public drinking water systems are prepared to respond quickly and effectively to potential incidents."