Overview of Cybersecurity Regulation

The National Institute for Standards and Technology (NIST) defines cybersecurity as protecting computer systems and electronic equipment from harm, making sure they work properly, and being able to restore them if something goes wrong. The goal is to keep systems available, accurate, secure, and reliable.

For water systems, this means protecting any computer-based or electronically operated equipment from unauthorized access, misuse, or damage. This includes control systems, pumps, valves, and data. These systems must remain safe, dependable, and able to operate without interruption.

Strong cybersecurity practices help ensure essential services remain safe and reliable. The regulation supports that goal by setting clear expectations to protect water systems from cyber threats that could affect public health and safety.

Covered Water Systems

Appendix 5-E (PDF) covers community water systems that serve more than 3,300 people. Additional requirements exist for community water systems that serve more than 50,000 people.

Cybersecurity Requirements

Requirement Summary Table:

View Cybersecurity Requirement Summary Table

Systems Serving More Than 3,300 People Must:

1. Develop a cybersecurity program;
2. Review and update a Cybersecurity Vulnerability Analysis (CVA) annually or in the event of a major water infrastructure change (see “Preparing Emergency Response Plans” for additional drinking water system guidance);
3. Report identified cybersecurity vulnerabilities that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1 or that identify a situation that may pose a risk to public health, within 48-hours to the New York Department of Health;
4. Begin or complete mitigation of cybersecurity vulnerabilities that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1, or that identify a situation that may pose a risk to public health, within 120-days;
5. Verify that drinking water operators are trained in one-hour of basic level cybersecurity;
6. Report cybersecurity incidents that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1, or that identify a situation that may pose a risk to public health, to the Department within 24-hours; and
7. Maintain the ability to recover from cybersecurity incidents using an incident response plan.

Additional Requirements for Systems Serving More Than 50,000 People:

1. Designate an individual deemed qualified by the covered water system’s owner, with demonstrable knowledge of cybersecurity principles and practical experience in system protection or risk management, who shall be the individual responsible for the system’s cybersecurity program;
2. Have the designated individual certify every five years that the water system has an active cybersecurity plan;
3. Have the designated individual annually submit a confidential written report to their governing body (such as the board, council, trustees, or other oversight body) summarizing the cybersecurity program and any significant cybersecurity risks; and
4. Monitor and log the water system’s network activity.

Reporting Requirements

• Report cybersecurity incidents that interfere with the water system’s ability to comply with Subpart 5-1, or any situation that may pose a risk to public health, to the Department within 24-hours of discovery.
  • To report to multiple agencies at one time, select the agencies you want to report to and you will only have to answer the questions once. If you choose to report to multiple agencies, but at different times, you will be directed to answer the same questions each time.
  • You must answer each question fully without referencing other answers. Never respond to a question with “see above" or “see below” as not all agencies selected to receive your report receive all answers upon submission.
  • Each form must be completed and submitted in one session. To protect sensitive information, information cannot be saved and submitted at a later time and there is no way to edit the report after submission.
• Report cybersecurity vulnerabilities identified in the CVA that interfere with the water system’s ability to comply with Subpart 5-1, or that pose a potential public health hazard, to the Department within 48-hours of discovery.
• Contact Information:
  Email: TPP@health.ny.gov
  Phone: 518-402-7650
• WaterISAC Reporting Page (Reporting encouraged but not required)

Cybersecurity Program Requirements (Section 5-E.6)

All covered water systems are required to establish a cybersecurity program that incorporates the findings from their cybersecurity vulnerability analysis. Cybersecurity program requirements include:

• Inventory of cyber assets
• Access control procedures
• Detection and incident response procedures
• Recovery plans
• Review schedule
• Network activity and monitoring (only required for systems serving more than 50,000)
• Designated individual contact information (only required for systems serving more than 50,000)

Cybersecurity Vulnerability Analysis (CVA) (Section 5-E.5)

• Most water systems already complete a cybersecurity vulnerability analysis as part of their emergency response plans to identify and reduce risks from intentional acts and unintentional events. The regulation simply builds on that process to help systems better document and address those risks. Water systems provide a critical service to the people of New York State. Annual review and updates ensure that newly discovered vulnerabilities are addressed as they arise.
• Cybersecurity Vulnerability Assessment Checklist (PDF)

Exclusions

Community water systems may be excluded from most sections of Appendix 5-E (except Training, Emergency Response Plan, and Reporting) if they meet the following criteria:

1. System has documented operational technology (OT)/information technology (IT) separation.
2. System has documented OT/external network separation.
3. Billing systems that are not under the direct control of the covered water system and do not affect the covered water system’s ability to comply with Subpart 5-1 or that do not pose a threat to public health.

Exclusion Request Form

Approved Cybersecurity Trainings for Drinking Water Operators

Operator Certification (OpCert) Information

Cybersecurity Vulnerability Assessments

• Water Supply Vulnerability Assessment – Cybersecurity, Letter to the Community Water System Administrator (PDF)
• DOH Water System Cybersecurity Checklist (PDF)
• EPA: Cyber Incident Response Guide (PDF)

DOH Resources

• Appendix 5-E FAQs
• Water Supply Vulnerability Assessment – Cybersecurity
• Cybersecurity Vulnerability Assessment Checklist
• DOH Cybersecurity Program Template

Other Resources

• Cybersecurity for the Water Sector | US EPA
• CISA Free Cybersecurity Tools
• Cybersecurity & Guidance - American Water Works Association
• CISA OT Cybersecurity Webinar: Foundational Steps for Building an OT Asset Inventory
• EPA Cybersecurity for the Water Sector | US EPA