Securing Smart Water
By Kevin Westerling,
@KevinOnWater
The digital transformation of utilities is necessary and inevitable but also innately vulnerable to bad actors. It’s time to discuss prioritizing cybersecurity.
With the rise of digital technologies (showcased throughout this edition of Water Innovations), cyber threats have become a growing concern for water and wastewater utilities, yet federal rules for cybersecurity measures remain elusive. States like New York are starting to fill the regulatory void, providing potential blueprints for others, while individual utilities would be wise to protect themselves — as best they can — even without a mandate. But what does that initiative and investment look like?
New York State recently proposed new cybersecurity regulations for water and wastewater utilities. Assuming no changes after public review, what would the rules require?
New York’s regulations create a two-tier compliance structure based on the population served, with systems serving over 3,300 people facing annual vulnerability assessments, formal cybersecurity programs, and 24-hour incident reporting requirements. For larger utilities serving over 50,000 people, additional obligations include appointing dedicated cybersecurity executives and implementing comprehensive network monitoring with logging capabilities. Beyond these core requirements, all covered systems must develop incident response plans and provide cybersecurity training for certified operators, though utilities with completely air-gapped systems remain exempt from compliance. The state has set implementation timelines of January 2026 for IT systems and January 2027 for operational technology systems.
What are your thoughts on the merits or importance of the regulations?
These regulations address a gap in protection for infrastructure that directly impacts public health and safety; last year, the EPA’s Office of Inspector General found that 97 U.S. drinking water systems already have important or high-risk cybersecurity vulnerabilities affecting over 26 million people. Water systems have historically operated with minimal cybersecurity oversight, despite serving millions of people who depend on reliable, clean water delivery. The phased approach and grant funding demonstrate an understanding that compliance requires both time and financial support, particularly for smaller utilities with limited resources. Most importantly, the regulations create accountability through mandatory reporting and designated leadership roles, transforming cybersecurity from an optional consideration into a business requirement.
Aren’t such measures, or some cybersecurity measures, needed everywhere? Are we on that path?
States are stepping into the regulatory void left by federal agencies after the EPA’s cybersecurity regulations were withdrawn due to industry lawsuits and court rulings, with New York setting a precedent that other states may follow based on their own risk assessments and political priorities. The approach makes sense because water systems are locally operated but face globally coordinated threats, requiring local accountability with standardized protection frameworks. In my experience, industry sectors rarely adopt comprehensive security measures without substantial regulatory or contractual pressure, despite business benefits. Financial services and healthcare are examples of this pattern, where regulatory requirements drove widespread security improvements that voluntary guidance never achieved.
What about the cost of cybersecurity implementation?
State estimates show annual costs ranging from $150,000 for smaller systems to $5 million for larger utilities, with the $2.5 million grant program covering only a fraction of total implementation expenses. The remaining costs will likely transfer to ratepayers or taxpayers, but this represents a small fraction of the economic impact from a disruptive attack on water infrastructure. Smart utilities will phase implementation over the compliance timeline, prioritizing high-impact, lowcost controls first, such as multifactor authentication and replacing default passwords that EPA inspections found at over 70% of water utilities. Budget discussions should frame these costs as insurance premiums rather than technology expenses, protecting against service disruptions that could cost millions per day.
What types of threats and ongoing cyber risks do utilities face, and what are the potential impacts?
Water utilities face sophisticated threat actors, including ransomware groups that use infostealer attack chains with malware. I’ve seen utilities struggle with vulnerabilities in human machine interfaces that allow unauthorized system access and supply chain compromises that expose utilities as unintended victims. The financial consequences can be severe — service disruptions can cost over $100 million per day in lost revenue, while contamination incidents create liability exposure that could functionally end the operations of smaller utilities. With reports of electrical grid attack surfaces expanding daily, the evidence shows that IT-operational technology convergence allows attackers to move from administrative systems into water treatment controls, potentially affecting public health.
AI and machine learning are taking digital capabilities further, and fast! How do we continue to evolve while remaining protected from bad actors?
Start with security by design principles when implementing AI systems, treating them as highvalue assets that require the same protection as operational control systems. The nuclear energy sector’s early AI adoption demonstrates both the potential benefits and risks, as utilities integrate AI for cost optimization while potentially expanding their attack surface. Organizations should implement AI governance frameworks that include security reviews for new AI deployments, data protection for training sets, and monitoring for AI system manipulation by threat actors. Utilities should focus first on building security expertise within their organization rather than relying solely on AI vendors, because utilities understand their operational risks better than any external provider.