TroutTrout

New York water cybersecurity: the operator field guide.

What New York's DOH and DEC rules require for water and wastewater control systems serving 3,300 to 50,000 people, the January 1 2027 deadline, SECURE grant funding, and how to comply with the staff you already have.

In short

New York is the first state to finalize cybersecurity rules for public water and wastewater systems. If you serve more than 3,300 people, you must meet the operational technology (OT) requirements by January 1, 2027. The state estimates the cost for a system in the 3,300 to 50,000 range at up to $150,000 a year, and has put $2.5 million toward it through the SECURE grant.

The gap this guide addresses is specific: small systems usually have IT support, but rarely anyone whose job is the PLCs, HMIs, and SCADA that run treatment and distribution. Office IT tools were not built for control equipment that is decades old and can fault if you scan it. The same handful of changes that meets the rules also closes most of your real exposure, and, as the guide puts it, an attacker cannot use a network path that isn't there.

3,300+

New Yorkers served is the threshold at which the new rules apply.

NYS DOH / DEC, 2026

318

NY public water systems covered by the rules, most in the 3,300 to 50,000 band.

NYS proposed rule, 2025

$2.5M

SECURE grant program administered by EFC, aligned with the new rules.

NYS EFC, 2026

What New York requires, and by when

In March 2026, Governor Hochul announced finalized cybersecurity regulations for public water and wastewater systems, developed jointly by the Department of Health (drinking water) and the Department of Environmental Conservation (wastewater) and aligned with federal EPA and CISA guidance. The rules apply to community water systems serving more than 3,300 people; systems above 50,000 carry additional obligations.

DeadlineWhat appliesNotes
On adoption (now)Incident reporting and operator trainingTake effect immediately, not in 2027.
January 1, 2026Information technology rules (Public Service Commission)The IT track runs a year ahead of OT.
January 1, 2027Operational technology rules (DOH and DEC)The core OT deadline for the systems this guide addresses.

The core requirements for a 3,300 to 50,000 system

  • A formal cybersecurity program aligned with the six functions of NIST Cybersecurity Framework 2.0: govern, identify, protect, detect, respond, recover.
  • Annual vulnerability assessments, updated within 30 days of any major infrastructure change.
  • A cyber asset inventory, authentication and access management, and network activity monitoring and logging.
  • Incident reporting to DOH within 24 hours of detection, with vulnerability reporting within 48 hours.
  • A tested incident response plan that keeps operations running during an attack.
  • Cybersecurity training for certified operators, required for new and renewal certifications.

Systems above 50,000 people must also appoint a designated cybersecurity lead and conduct continuous monitoring. If you are near that threshold and growing, plan for it now.

Why office IT security does not close the gap

Your IT team is an asset, but their tools stop at a certain point. The rules are about operational technology specifically, and OT does not behave the way office IT does. Three gaps stay open.

01

The equipment cannot defend itself

A fifteen-year-old PLC cannot run antivirus or an endpoint agent, and may fault if you scan it. The protection cannot sit on the device. It has to sit in front of it.

02

The network is flat and trusted inside

In many plants, once you are on the network you can reach almost anything on it. A phished office PC can reach a control system directly if nothing separates the office network from the plant floor. The rules call for segmentation between IT and OT, and within OT.

03

Remote access accumulates invisibly

Remote access gets set up once, by whoever was around, and then no one looks at it again. CISA points to insecure remote access as one of the main ways attackers get into OT systems. If you fix one thing first, make it this.

Know your plant: building the OT asset inventory

An OT asset inventory is the first real piece of work, required by both the state rules and federal guidance, and it is also what the SECURE assessment grant is meant to pay for. Three steps your own team can do: walk the plant and list every device, what it is, where it is, what it controls, and whether anything outside can reach it; identify every way in, remote access tools, cellular and modem links at tanks and lift stations, vendor connections, and the IT/OT boundary; and decide what each device needs to reach. Most equipment only needs a few connections inside the plant. The smaller set that needs outside access is where your effort goes.

Paying for it, and buying without a bid

Two things stall small systems even after they know what to do: paying for it, and public purchasing rules that can turn a straightforward buy into a months-long bid. New York put money toward the first through the SECURE grant, administered by the Environmental Facilities Corporation (EFC). Cooperative purchasing handles the second.

The SECURE grant

Funded at $2.5 million with two tracks: an assessment grant of up to $50,000 with no match, and an implementation grant of up to 20% of net eligible costs, capped at $100,000. The first round closed May 15, 2026; EFC's Community Assistance Teams can tell you the current status.

The line that changes how you buy

The grant funds procurement and installation of security equipment (firewalls, segmentation devices, access control systems) but states that subscription-based software products are not eligible. To have the grant cover it, buy your OT security as an on-premise appliance you own and install, not a recurring subscription.

Even once the money is there, you usually do not have to run a competitive bid. A cooperative contract, where another public agency already ran the full competitive process, lets you skip the advertised bid: widely used options include Carahsoft, OMNIA Partners, and TIPS (the Interlocal Purchasing System), all accepted by New York municipalities. Confirm your entity can buy through the cooperative, get a quote citing the cooperative contract number, and issue the purchase order against it. One caution: EFC's grant terms call for specific contract language, so line up the application and the purchase together with EFC and your attorney.

What this looks like with Access Gate

Access Gate is Trout's Zero Trust product for industrial and operational environments. It goes in with no agent on existing equipment, no network reconfiguration, and no production downtime, sitting as one layer over what is already there. Trout is based in Kingston, New York, and Access Gate was built for plants like these: old control equipment, a small team with IT support but no dedicated OT security person, and a compliance date that is not moving. As an on-premise appliance you own and install, it fits the SECURE grant's equipment eligibility.

01

Asset inventory and mapping

A map of the equipment on your network from day one, PLCs, sensors, HMIs, SCADA servers, built by passive observation that does not probe fragile devices. This satisfies the asset inventory the rules require.

02

Granular enclaves

Logical network segments with precise flow rules: which equipment is reachable, in read or write, over which protocols, during which time windows. Applied without physical rewiring.

03

Controlled access

Every flow between the outside and the OT network passes through the Access Gate proxy, which authenticates the session, applies your authorization rules, and records the activity. A user reaches what they are authorized to reach, and nothing else.

04

Continuous audit

A complete, tamper-evident trace of each session: identity, equipment contacted, commands issued, duration, and result. Stored out of reach of any single user and usable by a SIEM or in a forensic investigation, this is what lets you report an incident inside the 24-hour window.

Visibility from day one. A typical deployment, mapping then the first enclave then progressive hardening, runs about three weeks for a standard-sized site.
Where to start

A sensible first step costs nothing

  • Do the plant walk and build your OT asset and connection inventory.
  • Request a free assessment from EFC's Community Assistance Teams, and ask about the next SECURE grant round.
  • Let a discovery run confirm what you found, often surfacing connections no one remembered.
  • Plan the grant and the purchase at the same time, so one does not trip up the other.
Done

Sources

Figures, deadlines, and requirements are drawn from the primary sources below. Deadlines and grant rounds change; confirm current details with the state and your regulator before acting.

  1. New York State, Governor Hochul Announces First-in-Nation Cybersecurity Regulations and Grants to Protect New York Water Systems (March 2026).
  2. New York State, Announcement of regulations and compliance timeline (July 2025). January 1, 2027 OT date; January 1, 2026 IT date.
  3. Western Water, Guarding the Gate: EPA expands cyber tools for water utilities (October 2025).
  4. Small Wars Journal (ASU), Securing the Flow: National Security Vulnerabilities in the US Water Supply (May 2025). Muleshoe TX, Veolia, American Water.
  5. The Record, Many US water systems exposed to high-risk vulnerabilities (November 2024). EPA Inspector General: 97 systems, 26.6 million people.
  6. CISA, NSA, EPA and partners, Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators (August 2025).
  7. The Record, New York unveils new cyber regulations and $2.5 million grant program (September 2025). 318 covered systems; 50,000 threshold.
  8. GovInfoSecurity, New York Unveils Nation-Leading Water Sector Cyber Rules (July 2025). Six NIST CSF 2.0 functions.
  9. Smart Water Magazine, New York sets national benchmark with cybersecurity rules for water utilities (March 2026). Annual assessments; 24-hour and 48-hour reporting.
  10. Infosecurity Magazine, New York Proposes Cybersecurity Regulations for Water Systems (July 2025).
  11. Water Online, Securing Smart Water (September 2025). Air-gap and low-public-health-risk exemptions.
  12. NYS Environmental Facilities Corporation, Cybersecurity Hub and Community Assistance Teams. Free assessments and no-cost technical assistance.
  13. NYS Environmental Facilities Corporation, SECURE Grant Program Summary (March 2026). Grant tracks, caps, eligible activities, subscription-software exclusion; first round deadline May 15, 2026.
  14. Industrial Cyber, New York introduces cybersecurity rules and $2.5 million grant program (March 2026). Grant caps: $50,000 assessment, $100,000 implementation.
Operator questions

New York water cybersecurity, answered

Jan 1

2027 OT deadline

Any community water system serving more than 3,300 people. New York's rules, issued by the Department of Health (DOH) for drinking water and the Department of Environmental Conservation (DEC) for wastewater, cover about 318 public water systems, most in the 3,300 to 50,000 population band. Systems above 50,000 people carry additional obligations. New York is the first state to finalize cybersecurity rules for public water and wastewater systems.

The core operational technology (OT) requirements from DOH and DEC take effect January 1, 2027. Information technology (IT) rules under the Public Service Commission took effect January 1, 2026, a year ahead. Incident reporting and operator training obligations apply immediately on adoption. Because the OT work takes months, not weeks, systems should start well ahead of the 2027 deadline.

Six core obligations: a formal cybersecurity program aligned with the six functions of NIST Cybersecurity Framework 2.0 (govern, identify, protect, detect, respond, recover); annual vulnerability assessments, updated within 30 days of any major infrastructure change; a cyber asset inventory with authentication, access management, and network activity monitoring and logging; incident reporting to DOH within 24 hours of detection and vulnerability reporting within 48 hours; a tested incident response plan; and cybersecurity training for certified operators. Systems above 50,000 people must also name a designated cybersecurity lead and conduct continuous monitoring.

There is a narrow exemption for a plant with no connection at all, physical or logical, between OT and IT or any outside network, a true air gap, and for systems where a cyber incident would not put public health at risk. In practice, once you count remote access, vendor links, and cellular connections at tanks and lift stations, almost no plant is genuinely air-gapped. The way to confirm is the OT asset inventory the rules require anyway.

OT does not behave like office IT, and IT tools leave three gaps. First, the equipment cannot defend itself: a fifteen-year-old PLC cannot run antivirus or an endpoint agent and may fault if you scan it. Second, plant networks are often flat and trusted inside, so a phished office PC can reach a control system directly. Third, remote access accumulates invisibly over years, and CISA identifies insecure remote access as one of the main ways attackers get into OT systems. The rules require IT/OT segmentation precisely because a flat trusted network turns one compromised laptop into a path to the pumps.

Instead of putting software on every device, put one protective layer in front of the control equipment. It checks who is asking (authentication), enforces what each user or device is allowed to reach (segmentation), stands between the user and the device so PLCs are never exposed directly, and keeps tamper-evident records of every session. This satisfies the identify, protect, detect, and respond functions the rules ask for, without a dedicated OT security engineer, without installing software on legacy PLCs or SCADA, and without rebuilding the plant network. It runs with your existing IT support.

Three steps a utility's own team can do. One: walk the plant and list every piece of control equipment, recording what it is, where it is, what it controls, and whether anything outside the plant can reach it. Two: identify every way in, remote access tools, cellular and modem links at tanks and lift stations, vendor connections, and the IT/OT boundary. Three: decide what each device actually needs to reach. Most equipment only needs to talk to a few devices inside the plant; the smaller set that needs outside access is where your effort goes. A passive discovery tool can confirm the inventory and surface connections no one remembered.

Yes. New York's SECURE grant program is administered by the Environmental Facilities Corporation (EFC) and funded at $2.5 million, aligned with the new rules. It has two tracks: an assessment grant of up to $50,000 with no match, and an implementation grant of up to 20 percent of net eligible costs, capped at $100,000. The first application round closed May 15, 2026; EFC's Community Assistance Teams can tell you the current status and flag future rounds, and also offer free assessments and no-cost technical assistance.

The SECURE grant funds the procurement and installation of security equipment, and names firewalls, network segmentation devices, and access control systems as examples. Its terms state that subscription-based software products are not eligible. So to have the grant cover it, buy your OT security as equipment you own and install, such as an on-premise appliance, rather than as a recurring software subscription. Confirm the specific eligibility details with EFC and your finance office before you apply.

Usually yes, through a cooperative purchasing contract. Another public agency has already run the full competitive process and awarded a contract other public bodies can buy from, so the competition has already happened for you. Widely used options include Carahsoft, OMNIA Partners, and TIPS (the Interlocal Purchasing System), all accepted by New York municipalities. Confirm your entity can buy through the cooperative, get a quote citing the cooperative contract number, and issue the purchase order against it. One caution: EFC's grant terms call for specific contract language, so check the required terms with EFC and your attorney before signing.

Meet the January 1, 2027 deadline with the staff you have

No agent on your PLCs, no plant rebuild, no dedicated OT security engineer. Grant-eligible as equipment, deployable in about three weeks.