ALBANY, N.Y. — New York’s Department of Health (DOH) and Division of Homeland Security and Emergency Services (DHSES) can do more to protect the state’s water systems from cyberattacks, terrorism, and the threats posed by natural disasters like storms. That’s according to an audit that New York State Comptroller Thomas DiNapoli released June 27. “New […]
Get Instant Access to This Article
Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.
- Critical Central New York business news and analysis updated daily.
- Immediate access to all subscriber-only content on our website.
- Get a year's worth of the Print Edition of The Central New York Business Journal.
- Special Feature Publications such as the Book of Lists and Revitalize Greater Binghamton, Mohawk Valley, and Syracuse Magazines
Click here to purchase a paywall bypass link for this article.
ALBANY, N.Y. — New York’s Department of Health (DOH) and Division of Homeland Security and Emergency Services (DHSES) can do more to protect the state’s water systems from cyberattacks, terrorism, and the threats posed by natural disasters like storms.
That’s according to an audit that New York State Comptroller Thomas DiNapoli released June 27.
“New York has thousands of water systems supplying drinking water but, as we’ve seen in other states, this critical infrastructure is increasingly targeted by cyber and other attacks,” DiNapoli said. “The state should do more to ensure public-water systems are protected from threats with security assessments and emergency plans that are accurate and up to date.”
New York state has nearly 9,000 public-water systems, including more than 2,800 community water systems. DOH is responsible for ensuring that New York’s water supply is suitable to drink and assisting local water systems with their security and emergency preparedness, DiNapoli’s office said.
Background
As of December 2022, 318 of New York’s largest water systems were required to submit a water supply emergency plan to DOH for review at least once every five years. The plans include an emergency-response plan (ERP) and a vulnerability assessment (VA).
The VAs must identify potential vulnerabilities to natural disasters and must include a cybersecurity vulnerability assessment (CVA) that identifies vulnerabilities to terrorist attacks and cyberattacks, DiNapoli’s office said.
The comptroller’s audit examined whether the 317 community water systems outside New York City that are required to submit these plans had viable and up-to-date VAs and ERPs. It also examined whether DOH and DHSES are “effectively collaborating” in sharing information about risks identified by VAs.
Attacks on water systems can cause “widespread illness and casualties, impacting public health and economic vitality,” DiNapoli’s office said.
In recent years, water systems around the country have been shown to be vulnerable to cyberattacks and physical attacks, including contamination with deadly agents and toxic chemicals. Gov. Kathy Hochul’s 2023 State of the State book noted that ransomware attacks rose 13 percent nationwide in 2021.
New York’s water systems have been targets for hackers. In 2013, for example, a water dam in Rye was targeted by foreign attackers who were able to infiltrate the dam’s internet connection. Threats in the state “continue to persist.” In 2022, DHSES responded to 57 cyber incidents involving local governments, DiNapoli’s office said.
The state comptroller’s audit found that most water systems had submitted plans, but a number of them were more than a decade old and some systems had never submitted a CVA.
The review of the 317 plans outside of New York City found 32 water systems (or 10 percent) had out-of-date ERPs, including 15 that were over a decade old; 33 water systems (or 10 percent) had out-of-date VAs, including 16 over a decade old; and 30 water systems (or 9 percent of those audited) did not have CVAs, which were first due 2018.
The audit found that DOH sends letters to water systems when their plans need revisions, but “it does little” to follow up or provide enforcement if systems don’t send revisions or are late submitting them.
DOH officials said that an out-of-date plan “does not necessarily mean” an updated version has not been submitted. In some cases, they said the plans only appear to be missing because the local health departments have them and just haven’t sent them to DOH. The audit concluded that this might account for some missing plans but doesn’t explain why some are more than a decade old.
The audit found “there should be more collaboration” between agencies.
Recommendations, responses
DiNapoli’s audit includes several recommendations to improve DOH and DHSES guidance and oversight of water-system operators’ emergency plans. It recommends that DOH develop and implement a method to monitor the timeliness of water systems’ plan submissions, follow up to ensure revisions and updates are made, and provide better guidance to local health departments.
It also recommends that DOH and DHSES strengthen follow-up efforts on recommendations from DHSES to water systems.
In its response, DOH said that it has created a formal policy to monitor plan submissions and escalate enforcement against water systems that miss deadlines, according to DiNapoli’s office. The department agreed that greater communication and participation of local health departments with DHSES site visits and calls would benefit monitoring of water systems.
DHSES also said that it has “no authority to compel” local water systems to follow up on its recommendations, DiNapoli’s office noted. It also noted that it has invited local health departments to participate in site visits and calls regarding its recommendations to water systems.