New York Unveils Cyber Rules to Fortify Water Systems, But Experts Warn: “Implementation Won’t Be Easy”

New York is sending a strong message to hackers: stay out of the water.

This week, three of the state’s key regulatory bodies — the Department of Health (DOH), Department of Environmental Conservation (DEC), and Department of Public Service (DPS) — unveiled a sweeping set of proposed cybersecurity regulations designed to harden the digital defenses of water and wastewater utilities.

The proposed rules, now open for public comment, mark one of the most comprehensive state-level attempts to address rising cyber threats targeting critical infrastructure. They mandate minimum cybersecurity controls across both IT (information technology) and OT (operational technology) environments, require mandatory training for certified wastewater operators, and emphasize robust incident response plans, continuous monitoring, and threat reporting. In short, they treat water with the same urgency already afforded to power grids, hospitals, and financial systems.

“Cyberattacks on critical infrastructure can have devastating impacts on communities, and we must act now to defend our water and wastewater systems with the same urgency and rigor we bring to other critical sectors,” said New York Governor Kathy Hochul in a statement. “These new regulations and grant programs reflect our commitment to protecting public health and safety while helping under-resourced entities modernize for a digital age.”

To grease the wheels of adoption, the Environmental Facilities Corporation (EFC) has launched a new grant program and technical assistance initiative aimed at helping utilities—especially smaller ones—comply with the mandates. Regulators say they've coordinated closely with federal bodies like the EPA and CISA to ensure alignment with national guidance and best practices.

But while the rules may look clean on paper, the road to implementation is anything but.

“Protecting Critical Infrastructure, as defined by the Department of Homeland Security (DHS) and including water and wastewater facilities, should be a priority,” said Damon Small, board member at cybersecurity firm Xcape, Inc. “In that spirit, these proposed regulations are a good thing. Incident reporting, authentication, and access management are key features of any successful cybersecurity program.”

Yet, Small cautioned that bridging the gap between OT and IT — two realms often siloed for good reason — isn’t a trivial task. “The concept of separating Operational Technology (OT) from Information Technology (IT) is easier said than done,” he added. “Reference architectures exist, such as the Purdue Model, that describe how to interconnect OT and IT while minimizing risk, but to do so effectively may require significant changes to a facility's network infrastructure. In short, these regulations are good, but implementing the technical controls required may be time-consuming and expensive.”

And therein lies the tension. Even as the water sector becomes a more frequent target for ransomware groups and nation-state-backed threat actors, many facilities remain stuck with legacy equipment, minimal cybersecurity staffing, and outdated software that can’t easily support modern controls like zero trust, multi-factor authentication, or real-time telemetry.

With deadlines set for 2026 (IT compliance under PSC) and 2027 (OT compliance under DEC and DOH), the state is offering a generous runway. But the real question is whether funding and technical support can scale fast enough to match the risk.

Copies of the proposed regulations are now available on the DEC website, with the DOH and PSC accepting public comments through mid-September. The next few months will determine whether New York can strike the right balance between bold regulation and grounded implementation—or if water utilities will be left swimming against the current.