Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

New York unveils new cyber regulations for water treatment facilities

(NYC Water)

By Colin Wood

After announcing last summer that New York’s drinking water and wastewater facilities would be held to a more stringent set of cybersecurity standards, Gov. Kathy Hochul on Wednesday unveiled the completed regulations, along with a $2.5 million grant program designed to aid facilities in conducting risk assessments and implementing upgrades.

In a press release, Hochul’s office called the new standards “first-in-nation,” a “comprehensive, unified approach” to protecting a sensitive public-sector target. Colin Ahern, the state’s former cyber director, who recently became New York’s first director of security and intelligence, said the new rules move the state “beyond reactive defense.” The new regulations are expansive: Treatment facilities are required to meet new reporting requirements after cybersecurity incidents, to establish written procedures for managing vulnerabilities and to protect all operational technology “by separating it completely from information technology” and “external networks such as the internet.”

Facilities must implement common cybersecurity controls, such as limiting users’ access to only systems they need, prohibiting the use of default credentials and requiring complex passwords and multifactor authentication. Larger treatment plants, those processing at least 10 million gallons of water per day, are required to begin monitoring and logging network activity. And treatment plant operators will be required to complete cybersecurity training, every five years, to renew their certifications (though the regulations offer assurance that their total training hours will not increase).

Read more at StateScoop

Click to listen highlighted text!