New York's new water cybersecurity law and how to comply with it.
What the SECURE grant covers, what Access Gate does, and how they fit together.
The EFC SECURE grant funds NY water utilities to meet new state cybersecurity regulations enforced by DEC and DOH, with a compliance deadline of January 1, 2027. Access Gate is an on-premise appliance that covers 9 of the EFC 12-step requirements automatically: asset inventory, access controls, MFA for legacy OT, network segmentation, incident response logging, and more. It deploys in days within the $100K upgrade grant ceiling and maps directly to NIST CSF 2.0.
On March 11, 2026, Governor Hochul signed first-in-nation cybersecurity regulations for all New York water and wastewater operators. Every system must now meet minimum standards: asset inventory, access controls, incident reporting, and MFA enforced at the network layer for legacy PLCs that cannot run modern auth software, aligned to EPA and CISA guidance. To help communities comply, the state launched the SECURE grant program, administered by the Environmental Facilities Corporation (EFC). The 2026 grant cycle closed on May 15, but the regulations themselves require compliance by January 1, 2027, enforced by DEC (wastewater) and DOH (drinking water). Implementation takes time. Operators starting now have a workable runway; those waiting until Q4 2026 do not. See the EFC Cybersecurity Hub
For a cybersecurity assessment
- · Risk assessment & penetration testing
- · Network review & asset inventory
- · Compliance roadmap
To implement upgrades
- · Firewalls & segmentation
- · Access control systems
- · Monitoring & alerting
- · Incident response planning
Connects in days. Operations never stop.
Plugs into your existing network. No software installed on PLCs or SCADA. No VLANs, no recabling, no downtime.
See the lollipop architectureInstant inventory of every device on your network.
Automatically finds all IT, OT, and IoT equipment, including legacy systems. Produces the asset inventory required for the $50K assessment grant.
Covers what the new regulations require.
Covers access controls, MFA for legacy equipment, network segmentation, and audit logging. Priced within the $100K upgrade grant ceiling.
| # | Step | Coverage |
|---|---|---|
| 1 | Change default passwords Flags weak or default credentials on every discovered device. | YES |
| 2 | Strong password policy Enforces credential policy through the access control layer. | PARTIAL |
| 3 | Enforce access controls Who can connect to what, when, enforced and logged automatically. | YES |
| 4 | Inventory all assets Finds every device on your network. OT, IT, IoT. Output used directly as a grant deliverable. | YES |
| 5 | Back up systems Outside scope. Access Gate identifies systems with no backup configured. | MANUAL |
| 6 | Keep software updated Shows firmware and software versions for all devices, you can see what needs updating. | PARTIAL |
| 7 | Incident response plan Full event log and real-time alerts, gives you the timeline every IR plan needs. | PARTIAL |
| 8 | Enable MFA Enforces multi-factor authentication even on old PLCs and HMIs that can't support it natively. | YES |
| 9 | Identify phishing Outside scope. Staff training and email security required. | MANUAL |
| 10 | OT not on open internet Wraps all OT equipment in a secure layer, no device is directly internet-exposed. | YES |
| 11 | Manage user privileges Every user only sees what they're supposed to. Full visibility for your cybersecurity lead. | YES |
| 12 | Review security resources Compliance gap report delivered at end of deployment, aligned to EFC, EPA, and CISA guidance. | PARTIAL |
Fully Covered
Mostly Covered
Standard IT
The 2 manual steps, backups, phishing training, and resource review, don't require any additional product. Your team likely already handles them.
Jan 1, 2027 is the real deadline. Let's get started.
Implementation takes weeks, not days. We will walk you through how Access Gate maps to the EFC checklist and the DEC/DOH regulations, scope your deployment, and get the asset inventory and access controls running before the compliance deadline.
Deploys in days, not months
One appliance, plugs into your existing network. No disruption to water treatment operations.
Priced for the grant
Access Gate fits within the $100K upgrade ceiling. We can help you scope the application to maximize coverage.
How Access Gate Maps to NIST CSF 2.0 and New York Regulations.
The grant application requires NIST CSF 2.0 alignment. The DEC and DOH regulations require specific control families. Access Gate maps to both. Each capability below shows the EFC step it satisfies, the NIST CSF 2.0 function it serves, and which regulation it addresses.
| Access Gate Capability | EFC Step(s) | NIST CSF 2.0 Function | Regulation |
|---|---|---|---|
| Passive OT asset discovery | 4 (Inventory) | Identify (ID.AM) | DEC, DOH |
| Network microsegmentation (overlay, no rewiring) | 10 (OT not on open internet) | Protect (PR.AC, PR.PT) | DEC, DOH |
| MFA enforcement for legacy OT (no agent required) | 8 (Enable MFA) | Protect (PR.AA) | DEC, DOH |
| JIT and time-limited vendor access | 3, 11 (Access controls, privileges) | Protect (PR.AA, PR.IR) | DEC, DOH |
| Session recording and audit logs | 7 (Incident response) | Detect (DE.AE), Respond (RS.AN) | DEC, DOH |
| Real-time network monitoring and alerting | 7 (Incident response) | Detect (DE.CM) | DEC, DOH |
| Incident response evidence and tamper-evident logs | 7 (Incident response) | Respond (RS.AN, RS.MI) | DEC, DOH |
| Air-gap and on-premise only operation | 10 (OT not on open internet) | Protect (PR.IR), Govern (GV.SC) | DEC, DOH |
For deeper coverage of the Detect and Respond functions specifically, see Network Traffic Logs for CMMC & IEC 62443 Compliance, which covers the same audit-evidence pattern that satisfies DEC and DOH logging requirements. For the full reference architecture behind a brownfield water-utility deployment (treatment plants, pump stations, distribution SCADA), see the Zero Trust for Utility OT whitepaper.
SECURE Grant & Access Gate FAQ
DEC/DOH compliance deadline
The SECURE grant is administered by the New York Environmental Facilities Corporation. It provides up to $50,000 for cybersecurity assessments and up to $100,000 for cybersecurity upgrades for water and wastewater systems across New York State. The 2026 application cycle closed on May 15. Future grant cycles are expected.
Yes. The Access Gate covers access control systems, network segmentation, monitoring and alerting, and incident response planning. All categories explicitly listed in the upgrade grant. It is priced to fit within the $100K ceiling.
The Access Gate connects in days, not weeks or months. It plugs into your existing network with no changes to PLCs, SCADA, or HMIs. No VLANs, no recabling, no downtime. Your operations continue uninterrupted.
No. The Access Gate is agentless. It protects devices at the network layer without installing anything on endpoints. This is critical for legacy OT equipment that cannot run modern security agents.
Access Gate aligns with the EPA Water Sector Cybersecurity Guidance, CISA Critical Infrastructure guidelines, and the EFC 12-Step Cybersecurity Checklist. It maps to NIST CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover) and to NIST SP 800-82 and IEC 62443 for industrial environments.
Yes. The grant funded the path; the regulations still require the controls. The DEC and DOH OT cybersecurity regulations have a January 1, 2027 compliance deadline that applies regardless of grant funding. Future grant cycles are expected, but operators should not wait. Access Gate deploys in days and produces the asset inventory, access controls, segmentation, and audit logs the regulations require.
January 1, 2027. The OT-focused cybersecurity regulations under the New York Department of Environmental Conservation (DEC, for wastewater) and Department of Health (DOH, for drinking water) require water utilities to have asset inventory, access controls, network segmentation, monitoring, incident response capability, and audit logging in place by that date. Access Gate covers all of these at the network layer without touching the protected OT assets.