New York state agencies need to do more to protect the state’s water systems from threats like cyberattacks and natural disasters, according to an audit released by state comptroller Thomas DiNapoli.
“New York has thousands of water systems supplying drinking water,” DiNapoli said, “but as we’ve seen in other states, this critical infrastructure is increasingly targeted by cyber and other attacks.”
Cyberattacks on water systems can cause widespread illness. death and lasting harm to a state’s economy.
“In recent years, water systems around the country have been shown to be vulnerable to cyberattacks and physical attacks, including contamination with deadly agents and toxic chemicals,” DiNapoli said.
Moody’s Investors Service said in a recent report that cyber risks pose growing challenges to municipalities across the United States, which are already trying hard to keep up with the threats.
In order to see what’s being done around New York to shore up security, the comptroller’s office conducted an audit of water systems.
By law, New York’s largest water systems are required to submit water supply emergency plans to the state Department of Health for review at least once every five years.
These plans include an Emergency Response Plan (ERP) and a Vulnerability Assessment (VA). The VAs must identify potential vulnerabilities to natural disasters and must include a Cybersecurity Vulnerability Assessment (CVA) that identifies vulnerabilities to terrorist attacks and cyberattacks.
The audit looked at whether the 317 community water systems outside New York City required to submit these plans had viable and up-to-date VAs and ERPs.
It also examined whether the DOH and Division of Homeland Security and Emergency Services (DHSES) are effectively working together in sharing information about risks identified by VAs.
The review of the 317 plans outside of New York City found that 32 water systems had out-of-date ERPs, including 15 that were over a decade old; 33 had out-of-date VAs, including 16 over a decade old; and 30 did not have CVAs, which were first due in 2018.
The audit also found DOH sends letters to water systems when their plans need revisions but does little to follow-up or provide enforcement if systems don’t send revisions or are late in submitting them.
In response, DOH officials said an out-of-date plan does not necessarily mean an updated version hasn’t been submitted. They said that in some cases, the plans only appear to be missing because the local health departments have them but haven’t sent them to the state yet.
The audit countered that this might account for some missing plans but didn’t explain why some were more than a decade old.
The audit said there should be more collaboration between agencies and made several recommendations to improve guidance and oversight of water system operators’ emergency plans.
It recommended DOH develop and implement a method to monitor the timeliness of water systems’ plan submissions, follow up to ensure revisions and updates are made, and provide better guidance to local health departments. It also recommends that DOH and DHSES strengthen follow-up efforts on recommendations from DHSES to water systems.
In its response, DOH said it created a formal policy to monitor plan submissions and increase enforcement against systems that miss deadlines. It agreed greater communication and participation of local health departments with DHSES site visits and calls would benefit the monitoring.
DHSES said it has no authority to make local water systems follow its recommendations.
In its report, Moody’s noted some states are substantially increasing their budgets to support local governments.
“New York increased its cybersecurity budget by $35 million, or 57%. The additional funding will go toward supporting the state-shared services that help local governments identify security gaps and other cybersecurity enhancements statewide,” according to Gregory Sobel, Moody’s assistant vice president.
The money will also back up county-level cybersecurity efforts through fiscal 2024 and to aid the New York State Joint Security Operations Center.
Issuers across the state ranked first in the nation for municipal bond issuance in 2022, up from number three in 2021, and sold more than $49.39 billion of debt last year, according to Refinitiv. The state’s general obligation bonds are rated Aa1 by Moody’s Investors Service and AA-plus by S&P Global Ratings, Fitch Ratings and Kroll Bond Rating Agency.
DiNapoli stressed New York should be expanding its efforts to secure its water resources to safeguard its residents and its economy.
“The state should do more to ensure public water systems are protected from threats with security assessments and emergency plans that are accurate and up to date,” DiNapoli said.