New York's new water cybersecurity law and how to comply with it.

What the SECURE grant covers, what Access Gate does, and how they fit together.

What Just Happened

On March 11, 2026, Governor Hochul signed first-in-nation cybersecurity regulations for all New York water and wastewater operators. Every system must now meet minimum standards — asset inventory, access controls, incident reporting, and MFA — aligned to EPA and CISA guidance. To help communities comply, the state launched the SECURE grant program, administered by the Environmental Facilities Corporation (EFC). Money is available now. The deadline is May 15. See the EFC Cybersecurity Hub

$50K

For a cybersecurity assessment

· Risk assessment & penetration testing
· Network review & asset inventory
· Compliance roadmap

$100K

To implement upgrades

· Firewalls & segmentation
· Access control systems
· Monitoring & alerting
· Incident response planning

How Access Gate Helps

No disruption

Connects in days. Operations never stop.

Plugs into your existing network. No software installed on PLCs or SCADA. No VLANs, no recabling, no downtime.

Full visibility

Instant inventory of every device on your network.

Automatically finds all IT, OT, and IoT equipment — including legacy systems. Produces the asset inventory required for the $50K assessment grant.

Compliance-ready

Covers what the new regulations require.

Covers access controls, MFA for legacy equipment, network segmentation, and audit logging — priced within the $100K upgrade grant ceiling.

EFC 12-Step Checklist — What Access Gate Covers

#	Step	What Access Gate Does	Coverage
1	Change default passwords Flags weak or default credentials on every discovered device.	Flags weak or default credentials on every discovered device.	YES
2	Strong password policy Enforces credential policy through the access control layer.	Enforces credential policy through the access control layer.	PARTIAL
3	Enforce access controls Who can connect to what, when — enforced and logged automatically.	Who can connect to what, when — enforced and logged automatically.	YES
4	Inventory all assets Finds every device on your network — OT, IT, IoT. Output used directly as a grant deliverable.	Finds every device on your network — OT, IT, IoT. Output used directly as a grant deliverable.	YES
5	Back up systems Outside scope. Access Gate identifies systems with no backup configured.	Outside scope. Access Gate identifies systems with no backup configured.	MANUAL
6	Keep software updated Shows firmware and software versions for all devices — you can see what needs updating.	Shows firmware and software versions for all devices — you can see what needs updating.	PARTIAL
7	Incident response plan Full event log and real-time alerts — gives you the timeline every IR plan needs.	Full event log and real-time alerts — gives you the timeline every IR plan needs.	PARTIAL
8	Enable MFA Enforces multi-factor authentication even on old PLCs and HMIs that can't support it natively.	Enforces multi-factor authentication even on old PLCs and HMIs that can't support it natively.	YES
9	Identify phishing Outside scope. Staff training and email security required.	Outside scope. Staff training and email security required.	MANUAL
10	OT not on open internet Wraps all OT equipment in a secure layer — no device is directly internet-exposed.	Wraps all OT equipment in a secure layer — no device is directly internet-exposed.	YES
11	Manage user privileges Every user only sees what they're supposed to. Full visibility for your cybersecurity lead.	Every user only sees what they're supposed to. Full visibility for your cybersecurity lead.	YES
12	Review security resources Compliance gap report delivered at end of deployment, aligned to EFC, EPA, and CISA guidance.	Compliance gap report delivered at end of deployment, aligned to EFC, EPA, and CISA guidance.	PARTIAL

Key

YESHandled automatically — nothing extra needed

PARTIALAccess Gate does the hard part; you complete the step

MANUALStandard IT practice — no additional product needed

Coverage at a Glance

Fully Covered

Mostly Covered

Standard IT

The 2 manual steps — backups, phishing training, and resource review — don't require any additional product. Your team likely already handles them.

Next Step

The deadline is May 15. Let's get started.

We'll walk you through how Access Gate maps to the EFC checklist, help scope your grant application, and get you deployed before the deadline.

Deploys in days, not months

One appliance, plugs into your existing network. No disruption to water treatment operations.

Priced for the grant

Access Gate fits within the $100K upgrade ceiling. We can help you scope the application to maximize coverage.

Questions

SECURE Grant & Access Gate FAQ

May 15

Grant application deadline

The SECURE grant is administered by the New York Environmental Facilities Corporation. It provides up to $50,000 for cybersecurity assessments and up to $100,000 for cybersecurity upgrades for water and wastewater systems across New York State. The application deadline is May 15, 2026.

Yes. The Access Gate covers access control systems, network segmentation, monitoring and alerting, and incident response planning — all categories explicitly listed in the upgrade grant. It is priced to fit within the $100K ceiling.

The Access Gate connects in days — not weeks or months. It plugs into your existing network with no changes to PLCs, SCADA, or HMIs. No VLANs, no recabling, no downtime. Your operations continue uninterrupted.

No. The Access Gate is agentless. It protects devices at the network layer without installing anything on endpoints. This is critical for legacy OT equipment that cannot run modern security agents.

Access Gate aligns with the EPA Water Sector Cybersecurity Guidance, CISA Critical Infrastructure guidelines, and the EFC 12-Step Cybersecurity Checklist. It also maps to NIST SP 800-82 and IEC 62443 for industrial environments.