TroutTrout
New York · DOH & DEC compliance

Water & wastewater cybersecurity for New York

New York is the first state to require cybersecurity for public water and wastewater systems. If you serve more than 3,300 people, the DOH and DEC rules take effect January 1, 2027. Here is what they require, how the SECURE grant pays for it, and how to comply with the staff you already have.

New York water treatment control systems
Jan 1 2027

DOH and DEC operational technology deadline

3,300+

people served: the threshold where the rules apply

318

NY public water systems covered by the rules

$2.5M

SECURE grant program, administered by EFC

What the rules require, and by when

In March 2026, Governor Hochul announced finalized cybersecurity regulations for public water and wastewater systems, developed jointly by DOH (drinking water) and DEC (wastewater) and aligned with federal EPA and CISA guidance. Incident reporting and operator training apply now; the IT rules took effect January 1, 2026; the core OT rules take effect January 1, 2027.

  • A formal cybersecurity program aligned with the six functions of NIST CSF 2.0.
  • Annual vulnerability assessments, updated within 30 days of any major infrastructure change.
  • A cyber asset inventory, authentication and access management, and network monitoring and logging.
  • Incident reporting to DOH within 24 hours, vulnerability reporting within 48 hours.
  • A tested incident response plan and cybersecurity training for certified operators.

Systems above 50,000 people must also appoint a designated cybersecurity lead and conduct continuous monitoring. For the full walkthrough, including the OT asset inventory method and the air-gap exemption, see the operator field guide.

Coverage

How Access Gate covers the DOH and DEC requirements

What the rules ask for, and where an on-premise access layer meets it. Some items are yours to own, and we mark those plainly.

RequirementWhat NY requiresHow Access Gate covers itCoverage
Cyber asset inventoryIdentify every device on the OT networkAgent-free discovery maps PLCs, HMIs, SCADA servers, and remote links from day one, including legacy gear that cannot run an agent.Covered
Authentication & access managementControl who can reach critical systemsEvery session is authenticated and tied to a named user. Operators and vendors reach only what they are authorized to, time-boxed and revocable.Covered
Segmentation (IT/OT and within OT)Separate the plant floor from the office networkMicrosegmented enclaves enforced at the network level, without recabling or touching existing VLANs.Covered
Monitoring & loggingRecord activity on critical systemsTamper-evident session records: identity, equipment, commands, duration. Usable by a SIEM or in an investigation.Covered
Incident reporting (24h to DOH)Report incidents within 24 hours of detectionThe audit trail gives you the timeline to report accurately inside the window. It supports, but does not replace, the reporting process.Partial
Annual vulnerability assessmentAssess, updated within 30 days of a major changeVisibility and asset data feed the assessment; the SECURE assessment grant is meant to pay for it.Partial
Tested incident response planKeep operations running during an attackAccess Gate supports containment and evidence, but the plan and its testing are yours to own.Out of Scope
Operator trainingCybersecurity training for certified operatorsOutside the product scope. Delivered through your certification and EFC's no-cost technical assistance.Out of Scope

Coverage reflects a typical deployment. Confirm scope for your system with the Trout team.

Operator questions

New York water cybersecurity, answered

Jan 1

2027 OT deadline

Any community water system serving more than 3,300 people. The rules, from the Department of Health (DOH) for drinking water and the Department of Environmental Conservation (DEC) for wastewater, cover about 318 public water systems, most in the 3,300 to 50,000 population band. Systems above 50,000 carry additional obligations. New York is the first state to finalize cybersecurity rules for public water and wastewater systems.

The core operational technology (OT) requirements from DOH and DEC take effect January 1, 2027. Information technology rules under the Public Service Commission took effect January 1, 2026. Incident reporting and operator training obligations apply immediately on adoption. Because the OT work takes months, systems should start well ahead of 2027.

A formal cybersecurity program aligned with the six functions of NIST CSF 2.0; annual vulnerability assessments; a cyber asset inventory with authentication, access management, and network monitoring and logging; incident reporting to DOH within 24 hours and vulnerability reporting within 48 hours; a tested incident response plan; and cybersecurity training for certified operators. Systems above 50,000 also need a designated cybersecurity lead and continuous monitoring.

Yes. The SECURE grant, administered by the Environmental Facilities Corporation (EFC) and funded at $2.5 million, has an assessment track of up to $50,000 with no match and an implementation track of up to 20 percent of net eligible costs, capped at $100,000. The grant funds security equipment you own and install; subscription-based software is not eligible. EFC's Community Assistance Teams offer free assessments and can flag the next round.

Put one protective layer in front of the control equipment instead of software on every device. It authenticates who is asking, enforces what each user or device can reach, keeps PLCs off the open network, and produces tamper-evident records. This meets the identify, protect, detect and respond functions the rules ask for, with no agent on legacy PLCs, no plant rebuild, and no dedicated OT security engineer, running with your existing IT support.

Meet the January 1, 2027 deadline with the staff you have

No agent on your PLCs, no plant rebuild, no dedicated OT security engineer. Grant-eligible as equipment, deployable in about three weeks.