New cybersecurity regulations for drinking water and wastewater systems have been announced in New York, alongside a US$2.5 million grant program designed to help communities strengthen cyber defenses for critical water infrastructure. Led by Governor Kathy Hochul, the Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements grant program, administered by the New York State Environmental Facilities Corporation, provides funding of up to $50,000 for cybersecurity assessments and up to $100,000 for utilities to implement cybersecurity upgrades. These grants are meant for system improvements to help utilities strengthen defenses against increasingly sophisticated cyber threats.
The ‘comprehensive, unified approach’ introduces minimum cybersecurity standards for utilities and establishes the SECURE grant program, which will provide funding for cybersecurity assessments and system upgrades. These measures equip drinking water and wastewater operators with the framework and tools to bolster their cybersecurity posture against increasingly sophisticated and dangerous cyber threats, reflecting growing concern that water infrastructure has become an attractive target for cyberattacks as operational systems become increasingly digital and connected.
The move brings about requirements such as cybersecurity training for certified operators, incident reporting obligations, and risk-based protections for operational systems.
“Cyber attacks on our water infrastructure can disrupt services and threaten public health and safety,” Hochul said in a statement last week. “My administration is protecting New Yorkers by modernizing regulations and providing resources to adopt these important safeguards. There is nothing more important than keeping New Yorkers safe.”
Last July, New York proposed new cybersecurity regulations for its water and wastewater systems. The initiative would require public water systems to adopt enforceable cybersecurity measures, including formal security programs, risk assessments, and technical safeguards to defend against cyberattacks. The grant is intended to help utilities meet these new obligations and strengthen the security of the state’s water infrastructure.
Delivering on the Governor’s State of the State commitment to strengthen the resilience and reliability of water and wastewater systems, the Departments of Environmental Conservation (DEC) and Health (DOH) developed minimum standards for wastewater and drinking water systems that are threat-informed, risk-centric, and cost-balanced. At the same time, the Environmental Facilities Corporation (EFC) created grants and no-cost technical assistance to support local implementation. Close coordination helped streamline oversight, eliminate duplication and align with federal cybersecurity guidance from the U.S. Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency.
The cybersecurity standards developed by the DEC and DOH establish several minimum protections for water utilities. These include mandatory cybersecurity training for certified operators, requirements to report cybersecurity incidents, and risk-based tiered standards designed to protect critical operations and sensitive information. Larger drinking water systems must also designate a dedicated cybersecurity lead responsible for overseeing security practices.
The New York State Environmental Facilities Corporation launched a dedicated cybersecurity hub to help drinking water and wastewater utilities strengthen their defenses against rising cyber threats. The initiative is part of a broader statewide effort led by Hochul to protect critical water infrastructure, as utilities increasingly face risks from vulnerabilities such as default passwords, unsecured remote access, and outdated security practices. Officials warn that a successful cyberattack on a water system could disrupt operations, halt water services, and impose high financial and operational costs on communities.
The online hub provides technical guidance, training resources, and cybersecurity assessments designed specifically for water sector operators. Through its Community Assistance Teams, the corporation offers free consultations and practical tools to help utilities adopt stronger cybersecurity practices and address vulnerabilities. The platform also highlights recommended actions, training opportunities, and a set of early preparedness steps such as strengthening password policies, improving access controls, maintaining software updates, and developing incident response plans to help utilities reduce cyber risk and improve resilience.
“In today’s threat environment, the security of our digital infrastructure is just as critical as the physical security of our reservoirs. Under Governor Hochul’s leadership, we are moving beyond reactive defense,” said Colin Ahern, New York State Director of Security and Intelligence. “By pairing nation-leading standards with the SECURE grant program, we are providing New York’s water sectors with the intelligence-driven framework and the muscle they need to preemptively harden our most vital systems against sophisticated global adversaries.”
“Effective cybersecurity is not a one-time fix; it is a sustained partnership between the State and our local operators. Following the successful implementation of new standards for our financial and healthcare sectors, Governor Hochul is continuing her steady, sector-by-sector plan to fortify New York’s most critical infrastructure,” according to Michaela Lee, New York State Acting Chief Cyber Officer. “By providing both the regulatory roadmap and the $2.5 million SECURE grant, we are ensuring that water and wastewater utilities have the guidance and resources they need to remain resilient in an increasingly digital world.”
“Governor Hochul’s nation-leading cybersecurity regulations reflect a steadfast commitment to protecting the health and safety of New Yorkers. As drinking water infrastructure controls become increasingly digitized, safeguarding these systems is essential,” James McDonald, New York State Department of Health State Health Commissioner, said. “These regulations strengthen our defenses, enhance monitoring and ensure public drinking water systems are prepared to respond quickly and effectively to potential incidents. We look forward to continuing our close collaboration with state and local partners to protect drinking water in New York State.”
“Thanks to Governor Hochul’s leadership, New York is pairing strong cybersecurity protections with meaningful support for local governments,” Maureen A. Coleman, New York State Environmental Facilities Corporation president and CEO, said. “EFC’s SECURE grant program and hands-on technical assistance will help communities implement these safeguards while keeping projects manageable and affordable.”
“Governor Hochul’s leadership is proactively enhancing cybersecurity across our water and wastewater systems to protect our environment and public health,” according to New York State Department of Environmental Conservation Commissioner Amanda Lefton. “DEC is proud of the collaboration with State agency partners to help address cybersecurity threats and advance these critical water and wastewater infrastructure initiatives to safeguard communities.”
“Cyber attacks are increasingly used by bad actors to threaten our communities and it’s essential we do all we can to strengthen the cyber defenses of critical infrastructure,” said Terry O’Leary, Division of Homeland Security and Emergency Services Acting Commissioner. “Thanks to Governor Hochul’s leadership, these regulations and grants will help ensure the security and resilience of water and wastewater systems across the state.”
Just last week, Texas state agencies and publicly owned medical facilities were directed to review potential cybersecurity risks tied to certain Chinese-manufactured patient monitoring devices after federal warnings flagged vulnerabilities that could expose sensitive health data. Authorities were also instructed to conduct a full inventory of network-connected medical devices and evaluate existing cybersecurity protections, underscoring that safeguarding Texans’ personal medical information remains a top priority. The directive specifically identified devices such as the Contec CMS8000 patient monitor and the Epsimed MN-120 patient monitor, which are already included on Texas’ restricted technologies list due to potential security concerns.
