What happened
New York approved new cybersecurity regulations for water and wastewater organizations that will take effect by the end of 2027, requiring covered entities to adopt measures such as cybersecurity training for certified operators, incident response planning, reporting requirements, and designated cyber leadership for larger utilities. The rules apply to community water systems serving more than 3,300 people, with added requirements for those serving more than 50,000. Michaela Lee, New York’s acting chief cyber officer, said the state moved forward as threats to water infrastructure continue to grow.
Who is affected
Community water systems in New York serving more than 3,300 people are affected by the new rules, with larger utilities serving more than 50,000 people subject to additional requirements.
Why CISOs should care
The regulations show how states are moving to impose baseline cyber requirements on water infrastructure as threats to operational technology and public utilities continue to intensify.
3 practical actions
- Review applicability now. Determine whether your water or wastewater organization falls under the new thresholds and added requirements.
- Prepare response and recovery plans. The rules require regulated entities to create and test plans that maintain operations during a cyberattack.
- Pursue available funding and support. New York created a grant program and is offering technical assistance to help organizations meet the new standards.
For more cybersecurity leadership and insights across critical infrastructure, explore our coverage of cyber leaders in the Utilities sector.