John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The EPA spent three years trying to force cybersecurity requirements on water utilities. Courts said no. The Safe Drinking Water Act doesn’t give them that power. So at the federal level, we’ve got guidelines, warnings, and strongly worded suggestions. No teeth.
New York decided to stop waiting.
The state’s new regulations require cybersecurity training for certified operators, incident response plans, and mandatory breach reporting. The rules cover community water systems serving more than 3,300 people, with extra requirements for those serving over 50,000. Operational technology rules kick in January 2027. IT-side rules already took effect in January 2026.
And here’s the part that actually matters: breach reporting. Without it, a compromised water system can just… not tell anyone. A reporting mandate creates a paper trail. It forces utilities to treat a breach as a public safety issue, not just an ops headache.
To help smaller systems get there, the state put up $2.5 million in grants. Up to $50,000 for assessments, up to $100,000 for upgrades.
If you’ve worked in financial services, this playbook looks familiar. Back in 2017, New York’s Department of Financial Services dropped 23 NYCRR 500 on banks and insurers when there was no federal equivalent. People questioned whether the state had the authority. New York did it anyway. Years later, that regulation helped shape the SEC’s cyber incident disclosure rules.
Water utilities aren’t banks. But the pattern is identical. Federal action stalls. New York acts. Other states watch. And the New York framework becomes the de facto national reference.
Here’s the honest part, though. New York has roughly 5,000 public water systems. Most are small. A water authority in the Hudson Valley might have one full-time employee and a board of volunteers. Telling them to develop a formal incident response plan and train staff on it requires resources they probably don’t have.
That doesn’t make the regulation wrong. Small water systems aren’t protected because they’re small. They’re exposed because their security posture is often nonexistent. The 2021 Oldsmar attack in Florida wasn’t some nation-state masterwork. It was a basic intrusion that only failed because an alert operator spotted the change in real time. And Iranian-linked actors are actively probing U.S. water infrastructure right now.
Whether this works comes down to whether New York pairs the mandate with real technical assistance and funding for small systems. The regulatory text matters less than the implementation support.
For everyone outside New York: the federal gap isn’t closing anytime soon. State-level regulation is probably how water utility cybersecurity gets addressed for the foreseeable future. New York going first means there’ll be enforcement data, legal challenges, and lessons learned that other states can watch before committing to their own versions.