The New York State Department of Environmental Conservation (DEC) has proposed comprehensive amendments to parts 616, 650, and 750 of Title 6 NYCRR with the primary goal of safeguarding New York’s water infrastructure. These regulations stem from Governor Kathy Hochul's directive in January 2025 to establish minimum cybersecurity standards for water and wastewater utilities. The main objectives include mandating cybersecurity incident reporting for State Pollutant Discharge Elimination System (SPDES) permittees, requiring emergency response planning and specific cybersecurity controls for Publicly Owned Treatment Works (POTWs), and ensuring certified wastewater operators receive cybersecurity training. The overarching aim is to protect the environment, including water quality, from the increasing number and sophistication of cyber threats that could lead to the discharge of untreated or partially treated sewage into communities and state waters.

POTWs are mandated to establish, maintain, and implement a range of cybersecurity controls based on documents accepted by the DEC, including EPA guidance and NIST Cybersecurity Framework. These controls include:

• Access Control and Authentication: Written rules and procedures consistent with the principle of least privilege, addressing password security, complexity, and management. Multi-factor authentication is required for remote access to operational technology (OT), and preset or default credentials are disallowed. These rules must be reviewed annually and updated after incidents or assessments.

• Cybersecurity Vulnerability Management Process: A written process including a cyber asset inventory (OT and connected IT assets), identification of known vulnerabilities, risk assessment based on likelihood and consequences of exploitation, prioritization of vulnerabilities, and mitigation/remediation actions. This process must be reviewed annually and updated when assets are added/decommissioned or new vulnerabilities are identified.

• Secure Network Structure: A written description of the network structure that protects OT by either physically and logically separating it from IT and external networks or by securing necessary connections with appropriate cybersecurity controls.

• Network Monitoring and Logging (for larger POTWs): POTWs with a design flow of 10 MGD or more must implement, manage, and maintain procedures, products, and/or services that monitor and log network activity. This requirement has exceptions for facilities with no physical/logical connections between OT/IT/external networks, or those using unidirectional data flow devices for alarms, notifications, or communications.

• Cybersecurity Incident Response Plan (IRP): POTWs must establish, maintain, and implement an IRP, which can be an existing plan meeting specific criteria or one based on accepted templates like the Incident Action Checklist—Cybersecurity. This IRP must be incorporated into the broader Emergency Response Plan (ERP).

All SPDES permittees are mandated to report cybersecurity incidents promptly. An oral report must be made to the regional water engineer as soon as possible, but no later than 24 hours from the time the permittee becomes aware of the incident. This oral report must include, to the extent known at the time, details such as the date and time of discovery, the person who discovered it, a brief description of the incident, whether IT, OT, or both were impacted, and any disruption or anticipated disruption to normal operations. A more comprehensive written report must then be submitted to the regional water engineer within 30 days of becoming aware of the incident. This written report requires detailed information including the date and time of discovery, the discoverer, a brief description, impact on IT/OT, description of operational disruptions (or lack thereof), expected duration of disruption, description of any loss or damage to SPDES program data, OT, or the facility, and measures taken or planned for remediation/mitigation.

For wastewater operators, sections 650.8 and 650.12 of the proposed regulations require certified operators to complete a minimum number of training hours on cybersecurity to renew their certification every five years. This training does not add to the existing total number of required renewal hours. Grades 1 and 1A, and 2 and 2A operators need 2 hours of cybersecurity training, while Grades 3 and 3A, and 4 and 4A operators need 4 hours. These requirements will apply to all certifications expiring on or after January 1, 2027.

For drinking water operators, all certified operators under Subpart 5-4 are required to complete a minimum of one hour of cybersecurity training every three years. The curriculum for this training must be approved by the Department of Health. This requirement is effective immediately upon adoption of the regulation.

The regulations introduce specific definitions to clarify reportable events:

• Cybersecurity Event: This is broadly defined as "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse the permittee’s operational or information technology or SPDES program data."

• Cybersecurity Incident: This is a subset of cybersecurity events that are deemed reportable to the department. A cybersecurity event becomes an "incident" if it, directly or indirectly:

• Has an adverse impact on the normal operations of the permittee’s collection systems or treatment facility.

• Has a reasonable likelihood of harming any part of the normal operations of the permittee’s collection systems or treatment facility.

• Compromises the confidentiality, integrity, or availability of SPDES program data or results in loss or damage to the permittee’s collection systems or treatment facility.

• Delays or prevents the permittee from complying with all provisions of its SPDES permit.

Essentially, all incidents are events, but only events that meet the criteria of having a significant actual or likely adverse impact on operations, data, or permit compliance are considered reportable incidents.

The costs for compliance vary significantly based on the size and existing cybersecurity maturity of the entity. For Publicly Owned Treatment Works (POTWs):

• Definitions and References: $0

• Vulnerability Management Process (including cyber asset inventory): Can range from $0 to $269,263 annually for larger enterprises (100-999 employees), with smaller systems having lower costs. The costs depend on the level of automation and whether new tools are purchased.

• Secure Network Structure: Can range from $0 to $269,263 annually for larger enterprises, depending on configuration management tools and firewall needs.

• Network Monitoring and Logging: Can range from $0 to $269,263 annually for larger enterprises, heavily influenced by log volume, storage duration, and chosen tools (e.g., free options like CISA's Logging Made Easy can reduce costs for smaller utilities). The total annual costs for POTWs can range from $0 to over $269,263, with average estimates for a 100-999 employee enterprise potentially being around 17%-20% of an overall IT budget.

For Public Water Systems (PWS):

• Systems serving 3,300 to 50,000 people: Cybersecurity costs are estimated to be $0-$150,000 per year.

• Systems serving more than 50,000 people: Cybersecurity costs are estimated to be $0-$5,000,000 per year.

• Cyber Asset Inventory: For systems with less than 100 assets, $0-$24,500 annually; for systems with 500-1000 assets, $0-$135,000 annually.

• Qualified Executive (for systems >50,000 people): Most large systems are anticipated to already have such a professional, so additional costs might be minimal.

• Monitoring and logging network activities (for systems >50,000 people): Estimated between $0-$54,000 per year.

New York State has allocated $2.5 million in a new cybersecurity grant program through the Environmental Facilities Corporation to support compliance, though this may not cover full costs.

The DEC considered and rejected two alternative approaches:

• Voluntary Compliance: This approach was deemed insufficient because it would likely lead to inconsistent implementation of protections, leaving some facilities highly vulnerable. It would also result in a lack of accountability and might allow facilities to ignore growing cyber threats. Given the increasing sophistication of cyber threats, delaying mandatory action was considered irresponsible.

• Mandating All EPA Cybersecurity Controls: This alternative was rejected due to concerns about imposing an undue economic burden on the regulated community. While EPA guidance is valuable, requiring every recommended control could lead to excessive costs, potential non-compliance, and operational challenges for many water and wastewater systems. The proposed regulations aim for a balanced approach, selecting minimum controls that are both effective and financially sustainable for the diverse range of regulated entities, ensuring feasible cybersecurity improvements.

The compliance schedule varies slightly depending on the specific requirement and the type of system:

• For wastewater treatment facilities (POTWs), the majority of the new cybersecurity controls and emergency response planning requirements are effective upon adoption. The annual certifications for compliance with the Emergency Response Plan and cybersecurity controls are due annually by March 28. The cybersecurity training requirements for certified wastewater operators apply to all certifications that expire on or after January 1, 2027. Incident reporting requirements for cybersecurity incidents go into effect immediately upon adoption.

• For public water systems, sections 5-E.7 (cybersecurity training for operators) and 5-E.9 (cybersecurity incident notification) are effective immediately upon adoption of the regulation. All other requirements for covered water systems must be complied with by January 1, 2027. Operators must complete the required training by the end of their first full registration cycle following the effective date of the regulation.