Program Offers Up to $100K for Security Upgrades and $50K for Assessments
The state of New York is launching a first-of-its-kind cybersecurity regulatory framework for water and wastewater utilities, rolling out new technical safeguards and funding grants.
See Also: Free Your IT Program of Tech Debt With an Enterprise Browser (eBook)
Governor Kathy Hochul announced finalized cyber regulations for public water systems, along with a $2.5 million grant program aimed at helping local operators implement the new directives, conduct risk assessments and upgrade digital defenses. State officials said the effort should help utilities strengthen their security posture while protecting services that millions of New Yorkers rely on every day (see: New York Unveils ‘Nation-Leading’ Water Sector Cyber Rules).
The rules create enforceable cybersecurity standards for drinking water and wastewater operators throughout New York while tasking utilities with establishing formal security programs, identifying cyber risks and implementing technical security measures designed to defend operational systems from attacks. The new framework builds on plans unveiled last year as New York moved to establish cybersecurity standards for the state’s water sector, a critical infrastructure sector that analysts say has lagged behind others in its cyber maturity and preparedness (see: Weak and Exposed: US Water Utilities a Chinese Hacker Target).
“Cyberattacks on our water infrastructure can disrupt services and threaten public health and safety,” Hochul said.
The Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements grant program will provide $2.5 million to help utilities assess cyber risks and deploy protective controls, including up to $50,000 for cybersecurity assessments and up to $100,000 to implement cybersecurity upgrades. The initiative comes amid growing concern that cyberthreats targeting water infrastructure could disrupt essential services or compromise water treatment operations.
“These regulations strengthen our defenses, enhance monitoring and ensure public drinking water systems are prepared to respond quickly and effectively to potential incidents,” New York State Department of Health State Health Commissioner James McDonald said.
Experts have long warned that many water utilities nationwide operate with limited cybersecurity resources and staff while relying on aging industrial control systems, making them attractive targets for cybercriminals and foreign adversaries.
Hackers have yet to successfully alter water quality at U.S. treatment plants, which typically rely on multiple safety controls designed to prevent catastrophic failures. But security analysts say the sector’s accelerating digitization has introduced cyber risks that were once largely absent from a critical infrastructure industry traditionally associated with reservoirs, treatment plants and pipes.
“In today’s threat environment, the security of our digital infrastructure is just as critical as the physical security of our reservoirs,” New York State Director of Security and Intelligence Colin Ahern said in a statement.
The new regulations come as cyberattacks targeting U.S. water systems have increasingly drawn scrutiny in recent years, including from pro-Russian hackers who in January 2024 caused drinking water to overflow to overflow from a Texas water utility (see: US Warns of Ongoing Pro-Russia Critical Infrastructure Hacks).