Cyber on Tap: NY's Water Utilities Face New Cyber Rulebook
By Patrick Miller
New York has proposed the first mandatory cybersecurity regulation for water and wastewater systems, targeting utilities serving over 3,300 people. With requirements for vulnerability assessments, incident reporting, and executive oversight, this rule signals a shift toward enforceable cyber resilience. Other states may soon follow.
Overview
New York just made another interesting move. On July 23, 2025, the state released its first-ever proposed cybersecurity regulation for drinking water and wastewater systems, backed by a $2.5 million grant program to jumpstart compliance. This doesn’t read like a patchwork of guidance or voluntary best practices. It’s a regulatory mandate with timelines, technical requirements, and enforcement teeth.
The regulation affects all community water systems serving more than 3,300 people, with enhanced requirements for those serving over 50,000 residents. That includes vulnerability assessments, executive accountability, continuous monitoring, and yes, formal incident reporting within 24 hours (this is becoming a strong trend).
We’ve been watching this space evolve. And this is a clear signal: water infrastructure is now a frontline asset in the cybersecurity domain for New York. This action echoes a broader trend we explored in Broad Scope, Big Impact: NY Mandates Cyber Rules for Public Sector, where New York is proactively establishing cybersecurity requirements in the absence of clear, consistent national standards.
What’s Required: A Quick Dive
The proposed regulation mandates the following:
Annual Cyber Vulnerability Assessments (CVAs)
Required annually, or within 30 days of a major infrastructure change.
Must evaluate IT/OT networks, software, personnel access, remote access, wireless, logging, patching, and network segmentation.
Cybersecurity Program Implementation
The CVA is not a shelf document—it must directly inform a cybersecurity program.
That includes technical safeguards, access controls, detection, and mitigation measures.
Executive-Level Responsibility (for 50k+ population systems)
A qualified individual at the executive level must be designated to oversee cybersecurity.
Must ensure network monitoring and logging is in place and active.
Incident Response and Reporting
Reportable incidents include ransomware, data breaches, unauthorized access, or any disruption to operations.
Must be reported to the NY Department of Health within 24 hours.
Training Requirements
All certified water system operators must receive periodic cybersecurity training.
Tied to certification cycles.
Vulnerability Disclosure
Systems must notify the state within 48 hours of discovering vulnerabilities that may affect compliance.
Funding Support But Not a Free Ride
New York is offering $2.5 million in grant funding to assist with CVA and compliance readiness. That’s a start, but consider this:
Annual compliance costs for midsize systems (3,300–50,000 people): up to $150,000
For large systems (50,000+): up to $5 million/year
Network logging: $54,000/year
Inventory & segmentation: $25K–$135K, depending on asset count
These are not trivial numbers for rural utilities or underfunded municipalities. Grant funding will help but it won’t cover the entire compliance journey.
The Rule That Wasn’t: EPA’s Short-Lived Cyber Mandate
In March 2023, the EPA introduced a cybersecurity rule requiring states to evaluate and report on the cybersecurity of public water systems during routine sanitary surveys. This rule mandated new legal obligations for states and utilities, regardless of size, with specific reporting and assessment requirements.
By October 2023, after legal challenges from Missouri, Arkansas, Iowa, and water utility associations who argued the rule exceeded EPA's authority and imposed burdens on smaller systems, the EPA formally withdrew the rule. While the withdrawal leaves cybersecurity oversight largely voluntary, the agency continues to encourage audits and provide technical assistance.
The reversal illustrates the limitations of federal authority in the absence of clearer legislative mandate, highlighting why states like New York are stepping in with enforceable regulations.
What Makes This Regulation Different
This is not just another set of guidelines. A few things stand out:
Mandatory cybersecurity regulation for water utilities. Some states have considered something like this but they haven’t crossed this line.
Explicit alignment with DHS Cyber Performance Goals and EPA cybersecurity priorities (despite recent legal setbacks).
Real deadlines, not open-ended expectations.
A technology-neutral approach. Systems can choose how to comply, but they must prove they’ve done it.
This marks a distinct shift away from the “check-the-box” vulnerability scan culture. It’s a move toward continuous improvement, accountability, and cyber maturity.
Points of Contention: Where the Debate May Emerge
Cost Burden on Smaller Utilities: While the grant program helps, the financial burden is likely to fall on ratepayers or municipal budgets, especially for capital upgrades like monitoring systems or segmentation.
Speed of Implementation: The timeline to comply is short by infrastructure standards, early 2027 for full implementation.
Workforce Readiness: Designating executive cyber leads and upskilling operators may strain already thin resources, particularly in rural areas.
Potential Overlap with EPA/CISA Guidance: Without federal standardization, overlapping requirements could cause confusion, or worse, create regulatory fatigue.
Comparing to Federal/Regional Frameworks
New York’s proposed regulation is loosely aligned with:
NIST Cybersecurity Framework (CSF) – Especially Identify, Protect, Detect, and Respond categories.
NIST SP 800-53 & 800-82 – It references similar controls (access, monitoring, incident response) but without rigid mappings.
DHS Cyber Performance Goals (CPGs) – The regulation echoes several CPGs, including asset inventory, vulnerability scanning, access management, and logging.
EU NIS2 Directive - Shares principles around executive accountability, mandatory incident reporting, and risk-based technical controls for essential service providers.
But it’s not a one-to-one match. It’s more prescriptive in some areas (like reporting timelines) and flexible in others (letting systems define their own technical controls, as long as they’re justified).
Final Thoughts: Why This Matters Beyond New York
This rule is likely just the beginning. In the absence of a national cybersecurity standard for water systems (after the EPA’s rule was pulled back), states are stepping into the void. New York is setting a precedent that could easily spread to other states facing similar risks and similar political will.
For operators, owners, and engineering teams: compliance will not be a one-time event. This regulation hints at a continuous model of governance, risk management, and system improvement. And that’s a welcome shift. But only if we help these organizations build the capacity, not just check boxes.
Recommendations for Water Utilities and Operators
Start Your CVA Now – Even if the rule isn’t final, it will be soon. Use this time to baseline your network, asset inventory, and risk posture.
Build a Risk-Based Roadmap – Prioritize controls based on threat likelihood and potential impact, not just compliance minimums.
Train Your Operators – Start integrating cybersecurity hygiene into routine training and recertification now.
Designate Your Cyber Lead Early – For larger systems, identify the executive sponsor and clarify accountability.
Engage with the Public Comment Process – This is your chance to shape the rule before it’s final.
New York isn’t just regulating cyber risk in the water sector—they’re trying to operationalize it. That’s a direction worth following, and one that deserves real investment and support from both public and private partners
