New York is the first state to require cybersecurity for public water systems. The requirements were added to 10 NYCRR Part 5, the state's drinking water regulation, as a new Appendix 5-E. If your system serves more than 3,300 people, they apply to you, and the main operational technology (OT) requirements take effect January 1, 2027.
This post explains what the rules require, who they cover, and how to prepare.
Preparing for the deadline? Trout runs live sessions on New York's Part 5 and Part 6 rules with the operators and engineers doing the work. See the schedule on the NY Part 5 & 6 NYCRR webinar page.
What is 10 NYCRR Part 5?
10 NYCRR Part 5 is the part of the New York State Sanitary Code that governs drinking water. Subpart 5-1 covers public water systems: water quality standards, monitoring, operator certification, and how treatment and distribution are run. DOH already uses it to regulate your system.
The cybersecurity requirements were added to this same regulation, as Appendix 5-E, published in the New York State Register on July 16, 2025. Because they sit inside Part 5, cybersecurity is now part of operating a public water system, checked through the same sanitary surveys and inspections that already review your system.
Wastewater is covered separately by the Department of Environmental Conservation (DEC). DOH and DEC wrote the two sets of rules together and aligned them with federal EPA and CISA guidance. A utility that runs both drinking water and wastewater can follow one program.
Who must comply, and by when?
The rules apply based on how many people your system serves.
| Your system serves | What applies |
|---|---|
| Fewer than 3,300 people | The full program is not required. Basic security still matters, and grant-funded help is available. |
| More than 3,300 people | The full Appendix 5-E program applies. This covers about 318 systems statewide, most serving 3,300 to 50,000 people. |
| More than 50,000 people | Everything above, plus a designated cybersecurity lead and continuous monitoring. |
There are three separate deadlines:
| Requirement | Effective date |
|---|---|
| Incident reporting and operator training | On adoption (now) |
| Information technology rules (Public Service Commission) | January 1, 2026 |
| Core operational technology rules (Appendix 5-E) | January 1, 2027 |
The OT requirements take the longest to meet. Building an asset inventory, adding authentication in front of older controllers, and setting up network monitoring across pump stations takes months, and the work has to be scheduled around plant operations. Starting in mid-2026 is late.
What does Appendix 5-E require?
Appendix 5-E follows the six functions of NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. Here is what each one asks for.
| NIST CSF 2.0 function | What Part 5 requires |
|---|---|
| Govern | A documented cybersecurity program. Systems above 50,000 must name a designated cybersecurity lead responsible for it. |
| Identify | A cyber asset inventory covering the OT that runs treatment and distribution. Annual vulnerability assessments, updated within 30 days of any major infrastructure change. |
| Protect | Authentication and access management for systems and devices. Cybersecurity training for certified operators. |
| Detect | Network monitoring and logging. Continuous monitoring for systems above 50,000. |
| Respond | A tested incident response plan. Incident reporting to DOH within 24 hours of detection, vulnerability reporting within 48 hours. |
| Recover | Documented, tested recovery so a compromised system can be returned to safe operation. |
You do not need to replace your SCADA. You need to know what is on your network, control who can reach it, monitor it, and keep records that show you did.
The requirements that are hardest for small systems
Three requirements take the most time in practice.
The OT asset inventory. You cannot protect or monitor a device you have not listed. Most utilities have documented their HMIs and historian, but not the RTU at a remote booster station, the vendor's cellular modem, or the laptop that connects to the PLC network. Appendix 5-E expects the inventory to cover the equipment that runs the process, which is the equipment that is hardest to see. Start here. The assessment, the monitoring, and the incident response plan all depend on it.
Authentication for equipment that cannot authenticate. An older PLC has no user accounts, no password policy, and no MFA. The rule still expects access to it to be controlled and tied to a named person. The practical way to do this is to add authentication at the network instead of on the device. You put a control point in front of the PLC, so every connection is tied to a person and protected by MFA, without changing the PLC itself. We explain how this works in How to Implement MFA in Legacy OT Environments Without Breaking Operations.
The 24-hour reporting window. You have to report an incident to DOH within 24 hours of detecting it. That is hard to do without logs that connect a change on a controller to a session and a person. Network monitoring and a tamper-evident record give you the timeline you need to report on time. These are the same controls the Detect and Respond functions already require.
The operator field guide covers the asset inventory method and the air-gap exemption in more detail.
How Part 5 fits with EPA, DEC, and CISA
Part 5 builds on federal rules and sits next to the state wastewater rule. Knowing how they connect keeps you from doing the same work twice.
- Federal (EPA / AWIA): Under Safe Drinking Water Act section 1433, systems serving more than 3,300 people already have to complete a Risk and Resilience Assessment and an Emergency Response Plan that cover cybersecurity. Part 5 turns that into a state program with specific controls. If you are due for AWIA recertification, do it alongside your Part 5 assessment so the same work counts for both.
- State wastewater (DEC): DEC's rules apply the same approach to wastewater. A combined utility should run one program.
- CISA: The controls follow CISA's guidance for the water sector, so meeting Part 5 also addresses the issues CISA advisories raise.
The New York DOH and DEC compliance hub shows the full picture, including how each requirement maps to an on-premise access layer.
How to pay for it: the SECURE grant
New York funded this. The state set up a grant program through the Environmental Facilities Corporation, with free technical assistance, to help systems meet the requirements. For a small utility, the grant can cover much of the assessment and the first set of controls. You can find eligibility and how to apply on the SECURE grant resource page. Line up the funding before you scope the work.
A practical order of work
If you are starting from scratch, this order avoids rework:
- Inventory the OT. List every device that touches treatment and distribution, including remote sites and vendor connections.
- Run the vulnerability assessment, using the inventory. The same assessment counts for AWIA recertification.
- Control access. Add an MFA-protected control point in front of equipment that cannot protect itself, and tie every session to a person.
- Turn on monitoring and logging across sites, with a tamper-evident record that supports 24-hour reporting.
- Write and test the incident response plan. A plan you have never tested will not hold up during a real event or an inspection.
- Train your certified operators, using training that qualifies under the DOH and DEC criteria.
Other states are writing similar rules, so a real program now will serve you beyond New York. Start with the inventory, use the SECURE grant to fund it, and work through the details with the field guide.