New York’s Health Department (DOH) and Division of Homeland Security and Emergency Services (DHSES) can do more to protect the state’s water systems from attacks and the threats posed by natural disasters like storms, according to an audit released today by State Comptroller Thomas P. DiNapoli.
“New York has thousands of water systems supplying drinking water but, as we’ve seen in other states, this critical infrastructure is increasingly targeted by cyber and other attacks,” said DiNapoli. “The state should do more to ensure public water systems are protected from threats with security assessments and emergency plans that are accurate and up to date.”
There are nearly 9,000 public water systems in New York, including more than 2,800 community water systems. DOH is responsible for ensuring that New York’s water supply is suitable to drink and assisting local water systems with their security and emergency preparedness.
As of December 2022, 318 of New York’s largest water systems were required to submit a Water Supply Emergency Plan (plan) to DOH for review at least once every five years. The plans include an Emergency Response Plan (ERP) and a Vulnerability Assessment (VA). The VAs must identify potential vulnerabilities to natural disasters and must include a Cybersecurity Vulnerability Assessment (CVA) that identifies vulnerabilities to terrorist attacks and cyberattacks.
DiNapoli’s audit examined whether the 317 community water systems outside New York City that are required to submit these plans had viable and up-to-date VAs and ERPs. It also examined whether DOH and DHSES are effectively collaborating in sharing information about risks identified by VAs.
Attacks on water systems can cause widespread illness and casualties, impacting public health and economic vitality. In recent years, water systems around the country have been shown to be vulnerable to cyberattacks and physical attacks, including contamination with deadly agents and toxic chemicals. Ransomware attacks, according to the Governor’s 2023 State of the State book, rose 13% nationwide in 2021, and New York’s water systems have been targets for hackers. In 2013, for example, a water dam in Rye, NY was targeted by foreign attackers who were able to infiltrate the dam’s internet connection. Threats in the state continue to persist. In 2022, DHSES responded to 57 cyber incidents involving local governments.
DiNapoli’s audit found that while most water systems had submitted plans, a number of them were over a decade old and some had never submitted a CVA.
The review of the 317 plans outside of New York City found:
- 32 water systems (10%) had out-of-date ERPs, including 15 that were over a decade old.
- 33 water systems (10%) had out-of-date VAs, including 16 over a decade old.
- 30 water systems (9% of those audited) did not have CVAs, which were first due 2018.
The audit found that, although DOH sends letters to water systems when their plans need revisions, it does little to follow-up or provide enforcement if systems don’t send revisions or are late submitting them.
DOH officials said that an out-of-date plan does not necessarily mean an updated version has not been submitted. They said that in some cases, the plans only appear to be missing because the local health departments have them, but just have not sent them to DOH. The audit concluded that this might account for some missing plans but doesn’t explain why some are more than a decade old.
The audit found there should be more collaboration between agencies.
DiNapoli’s audit includes several recommendations to improve DOH and DHSES guidance and oversight of water system operators’ emergency plans. It recommends that DOH develop and implement a method to monitor the timeliness of water systems’ plan submissions, follow up to ensure revisions and updates are made, and provide better guidance to local health departments. It also recommends that DOH and DHSES strengthen follow-up efforts on recommendations from DHSES to water systems.
In its response, DOH stated that it has created a formal policy to monitor plan submissions and escalate enforcement against water systems that miss deadlines. It agreed that greater communication and participation of local health departments with DHSES site visits and calls would benefit monitoring of water systems.
DHSES stated that it has no authority to compel local water systems to follow up on its recommendations. It also stated that it has invited local health departments to participate in site visits and calls regarding its recommendations to water systems.
The agencies’ responses are available in the audit.