July 30, 2025 | Policy Brief
New York Acts To Avert Cyberattacks Against State’s Drinking Water Systems
July 30, 2025 | Policy Brief
New York Acts To Avert Cyberattacks Against State’s Drinking Water Systems
With the federal government slow to act, New York State government is stepping in to protect its water systems from cyber threats. On July 22, Governor Kathy Hochul announced a new $2.5 million cybersecurity grant program alongside new requirements for digital safeguards. New York’s program hints at a larger problem: The vast majority of Americans are served by small water utilities that remain dangerously under-resourced and ill-prepared for cyberattacks.
A State-Level Push to Fund and Secure Water Systems
Beginning in January 2027, New York’s water and wastewater utilities serving between 3,300 and 50,000 people will be required to conduct vulnerability analysis, report cyber incidents within 24 hours, maintain a response plan for cyberattacks, and train their staff on cybersecurity threats. Larger systems must also designate a senior executive responsible for overseeing cybersecurity programs and continuously monitoring networks for intrusions.
Compliance with these new requirements comes at a cost. The state estimates upgrades could cost up to $150,000 annually for mid-sized systems and up to $5 million for larger ones. To help offset this, New York launched a new cybersecurity grant program to cover the costs of technical assistance, risk assessments, and other qualifying activities. However, officials acknowledge that the $2.5 million grant program “will likely not cover full costs.”
A Lifeline Sector Remains Digitally Exposed
A 2024 New York state audit found that many of its public water systems lacked emergency plans or had outdated ones — part of a national trend. In 2021, federal law enforcement agencies warned that inadequate emergency preparedness was widespread across the sector.
Weak cybersecurity measures and aging, unprotected technologies have made water utilities attractive targets for cybercriminals and nation-state actors. In late 2023, Iranian hackers attacked multiple American water utilities, forcing them to switch to manual operations. In 2021, ransomware attacks hit water and wastewater treatment facilities in Nevada, California, and Maine, with the incident in Maine corrupting the system’s controlling plant equipment.
The Environmental Protection Agency (EPA), meanwhile, lacks the resources and workforce needed to help the water sector mitigate cyber risks. A 2024 Government Accountability Office report found that the agency is not equipped to provide meaningful guidance to the more than 150,000 public water systems across the country. Many utilities have made minimal cybersecurity investments, focusing only on meeting the EPA’s mandatory health and safety requirements.
Other States and the Federal Government Should Follow New York’s Lead
EPA’s previous efforts to impose cybersecurity requirements on water utilities were met with backlash from states and industry groups, which were concerned about EPA’s attempt to leverage unrelated state-level mechanisms to impose requirements that had not received industry input. Instead, industry groups have called for a sector-organized standards body that interacts with the EPA on the sector’s behalf and provides industry with consistent guidance on cybersecurity.
While legislation establishing this standards body winds through Congress, states can establish similar programs to New York’s new effort to set standards and bring resources to the sector. State administrators should continue using existing federal funding mechanisms to support local cybersecurity initiatives.
While New York’s proposed rules and grant program are meaningful steps, lasting progress will require federal leadership. Without a national standards body and sustained funding for grant programs that water utilities use to fund cybersecurity investments, efforts to secure America’s water systems will remain uneven, limited in scale and impact.
Jiwon Ma is a senior policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Stefan Videnovic is a CCTI intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jiwon on X @jiwonma_92. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.