Cyber threats targeting critical infrastructure are no longer limited to energy grids or financial networks. Increasingly, water infrastructure cybersecurity has become a major concern for governments worldwide as drinking water and wastewater systems rely more heavily on digital technologies.
In response to these growing risks, Kathy Hochul, Governor of New York, announced this week a set of new cybersecurity regulations and a $2.5 million grant program aimed at helping communities protect drinking water and wastewater systems from cyber attacks. The initiative represents what state officials describe as a whole-of-government approach to water infrastructure cybersecurity, combining regulatory standards, financial support, and technical assistance to strengthen the security of essential services used by millions of New Yorkers.
“Cyber attacks on our water infrastructure can disrupt services and threaten public health and safety,” Governor Hochul said. “My administration is protecting New Yorkers by modernizing regulations and providing resources to adopt these important safeguards. There is nothing more important than keeping New Yorkers safe.”
Why Water Infrastructure Cybersecurity Matters
Water infrastructure has traditionally been seen as a physical utility issue. But as treatment plants and distribution systems increasingly rely on internet-connected controls and digital monitoring systems, water infrastructure cybersecurity has become a frontline concern.
Modern wastewater facilities and drinking water plants use digital systems to monitor chemical balances, control pumps, manage filtration processes, and coordinate distribution networks. While these technologies improve efficiency, they also introduce potential cyber risks.
State officials warn that cyber attacks targeting water infrastructure could disrupt essential services or interfere with systems that protect public health. As digital infrastructure expands across critical utilities, improving water infrastructure cybersecurity is becoming just as important as maintaining physical infrastructure.
New Cybersecurity Standards for Water Systems
To address these challenges, the New York State Department of Environmental Conservation and the New York State Department of Health jointly developed new cybersecurity standards for water utilities across the state.
The regulations establish minimum security requirements designed to strengthen water infrastructure cybersecurity while remaining practical for local operators. Key measures include:
- Mandatory cybersecurity training for certified operators
- Cybersecurity incident reporting requirements
- Risk-based, tiered standards to protect critical operations and sensitive information
- Designation of a cybersecurity lead role at larger drinking water systems
These measures aim to move water utilities toward a more structured approach to water infrastructure cybersecurity, ensuring that operators have both the knowledge and accountability required to respond to emerging threats.
$2.5 Million SECURE Grant Program to Support Local Utilities
Alongside the regulatory framework, the state is introducing financial support to help communities implement cybersecurity improvements.
The Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements (SECURE) grant program, administered by the New York State Environmental Facilities Corporation, will provide $2.5 million in funding to support cybersecurity projects at local water and wastewater facilities.
The program includes:
- Up to $50,000 for cybersecurity assessments
- Up to $100,000 for cybersecurity upgrades
In addition to funding, the Environmental Facilities Corporation will provide no-cost technical assistance through Community Assistance Teams, helping utilities implement cybersecurity best practices and navigate grant applications.
State officials believe that combining regulations with funding will make water infrastructure cybersecurity improvements more realistic for smaller communities with limited resources.
A Coordinated Approach to Critical Infrastructure Security
Officials involved in the initiative emphasize that cybersecurity challenges cannot be solved by individual agencies alone. Instead, the state’s strategy relies on coordination across multiple departments and levels of government.
New York State Director of Security and Intelligence Colin Ahern highlighted the need for proactive defense.
“In today’s threat environment, the security of our digital infrastructure is just as critical as the physical security of our reservoirs. Under Governor Hochul’s leadership, we are moving beyond reactive defense. By pairing nation-leading standards with the SECURE grant program, we are providing New York’s water sectors with the intelligence-driven framework and the muscle they need to preemptively harden our most vital systems against sophisticated global adversaries.”
Similarly, Acting Chief Cyber Officer Michaela Lee stressed that cybersecurity requires long-term cooperation between state agencies and local operators.
“Effective cybersecurity is not a one-time fix; it is a sustained partnership between the State and our local operators. Following the successful implementation of new standards for our financial and healthcare sectors, Governor Hochul is continuing her steady, sector-by-sector plan to fortify New York’s most critical infrastructure. By providing both the regulatory roadmap and the $2.5 million SECURE grant, we are ensuring that water and wastewater utilities have the guidance and resources they need to remain resilient in an increasingly digital world.”
A Broader Push to Secure Water Infrastructure
The initiative also reflects a broader investment strategy. New York State has significantly expanded funding for water infrastructure projects in recent years, including $3.8 billion in financial assistance for local projects in State Fiscal Year 2025.
State officials argue that modern infrastructure investments must now include cybersecurity protections. As water systems continue to digitize, ignoring cyber risks could expose essential services to disruption.
From an infrastructure security perspective, the new regulations and grant program signal a shift in how governments think about public utilities. Protecting water systems is no longer just about pipes, pumps, and treatment facilities — it is increasingly about strengthening water infrastructure cybersecurity to safeguard essential services in a connected world.
