State officials need to do a better job of ensuring water systems are doing enough to assess potential attacks and the impact of natural disasters.
An audit released this week by Comptroller Tom DiNapoli's office found many large water systems in New York state outside of New York City have not provided updated assessments of their vulnerability to a variety of potential threats.
"If you think about it, doing any kind of response plan or a vulnerability assessment is a key part of risk management in any organization," said Sharon Salembier, an audit manager with the comptroller's office.
The audit reviewed 317 water systems, finding state officials have out-of-date emergency response plans from 10% of them, as well as out-of-date vulnerability assessments from a similar number.
Meanwhile, with cyber attacks a relatively recent threat, 9% of water systems do not have a cyber vulnerability report despite one being due in 2018.
"Practically everything has become more computerized and automated -- our cars, water systems, everything has some kind of complicated cyber component to it," Salembier said.
Water systems have been targeted by hackers. In 2013, a water dam in Rye was targeted by foreign attackers. Hackers in Florida were also able to gain access to water treatment controls. Last year, New York Homeland Security officials reported 57 cyber incidents that involved local governments.
"Everyone wants to know that their drinking water is protected," Salembier said. "There have been cyber attacks. Any one of those depending on the expertise of the perpetrators can take down or poison a system."
State officials need to work together to ensure the local water systems are providing up-to-date plans between state health officials and the Department of Homeland Security and Emergency Services, she said.
At the same time, state officials should also do more to encourage water systems to implement stronger protocols to guard against a catastrophe.
"We would provide stronger oversight," Salembier said. "There would be stronger oversight of the water systems if there was more active and intentional collaboration."
The Department of Health told auditors has created a formal policy to monitor risk assessments from water systems and increase enforcement.