New York sets stricter cybersecurity standards for water utilities

New York Gov. Kathy Hochul has unveiled completed cybersecurity regulations for water and wastewater facilities across the state, alongside a $2.5 million grant program meant to assist in risk assessments and system defense upgrades, according to StateScoop.

As part of the new regulations, New York water treatment facilities will be required to not only adhere to cyber incident reporting requirements but also create written vulnerability management procedures and separate operational technology systems from IT and external networks, while larger facilities will be compelled to conduct network activity tracking and logging. Typical cybersecurity measures, including complex passwords and multi-factor authentication, access restrictions, and default credential prohibition, should also be implemented. Former state cyber director Colin Ahern, who just took over as New York's first head of security and intelligence, stated that the new regulations take the state "beyond reactive defense."

Meanwhile, water facilities and other utilities in New York will be able to obtain grants of $100,000 and $50,000 for cybersecurity improvements and evaluations, respectively, as part of the $2.5 million Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements grant program.