After announcing last summer that New York’s drinking water and wastewater facilities would be held to a more stringent set of cybersecurity standards, Gov. Kathy Hochul on Wednesday unveiled the completed regulations, along with a $2.5 million grant program designed to aid facilities in conducting risk assessments and implementing upgrades.
In a press release, Hochul’s office called the new standards “first-in-nation,” a “comprehensive, unified approach” to protecting a sensitive public-sector target. Colin Ahern, the state’s former cyber director, who recently became New York’s first director of security and intelligence, said the new rules move the state “beyond reactive defense.” The new regulations are expansive: Treatment facilities are required to meet new reporting requirements after cybersecurity incidents, to establish written procedures for managing vulnerabilities and to protect all operational technology “by separating it completely from information technology” and “external networks such as the internet.”
Facilities must implement common cybersecurity controls, such as limiting users’ access to only systems they need, prohibiting the use of default credentials and requiring complex passwords and multifactor authentication. Larger treatment plants, those processing at least 10 million gallons of water per day, are required to begin monitoring and logging network activity. And treatment plant operators will be required to complete cybersecurity training, every five years, to renew their certifications (though the regulations offer assurance that their total training hours will not increase).
A new $2.5 million grant program, called the Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements (SECURE) grant program, will provide grants of $50,000 for cybersecurity assessments and $100,000 for implementing cybersecurity upgrades. The Environmental Facilities Corporation, New York’s water infrastructure bank, will administer the grants and lend the free aid of its “community assistance teams,” to advise on cybersecurity best practices.
The new regulations are timely, given the fresh military conflict in the Middle East. Critical infrastructure facilities, such as water treatment plants, are natural cybersecurity targets for hostile foreign nations. Shortly after the U.S. and Israel began striking Iran last month, the nonprofit Center for Internet Security warned its state and local government members that although Iran was occupied by the exigencies of physical warfare, there were signs of hacktivist groups organizing and that the United States should soon expect to see a wave of “low-level cyber activity.”
And a group of 10 information sharing groups, including the Water Information Sharing and Analysis Center, on Wednesday issued a joint advisory warning of a “highly volatile” threat environment that includes the possibility of “increased cyberattacks from Iranian state-sponsored actors, hacktivists, and cybercriminal groups aligned with Iran.” The information-sharing groups named numerous threat actors — Charming Kitten, Cyber Av3ngers, etc. — to watch for, and advised organizations to “adopt a thoughtful, comprehensive cybersecurity strategy that enables them to allocate limited resources most effectively,” and to “prepare for the likelihood of increased activity by Iranian-aligned actors.”
Written by Colin Wood
Colin Wood is StateScoop’s editor in chief. Contact him at colin.wood@statescoop.com or cwood.64 on Signal.