Water & wastewater cybersecurity for New York
New York is the first state to require cybersecurity for public water and wastewater systems. If you serve more than 3,300 people, the DOH and DEC rules take effect January 1, 2027. Here is what they require, how the SECURE grant pays for it, and how to comply with the staff you already have.

DOH and DEC operational technology deadline
people served: the threshold where the rules apply
NY public water systems covered by the rules
SECURE grant program, administered by EFC
Everything for the January 1, 2027 deadline
Operator field guide
The full walkthrough: what the DOH and DEC rules require, the deadline, SECURE grant funding, and how to comply with the staff you already have.
SECURE grant guide
The $2.5M EFC program: the $50K assessment and $100K implementation tracks, what is eligible, and how to buy without running a bid.
Upcoming webinars
Securing Municipal Water Systems and the NY Part 5 & 6 NYCRR rules, live with the operators and engineers doing the work.
What the rules require, and by when
In March 2026, Governor Hochul announced finalized cybersecurity regulations for public water and wastewater systems, developed jointly by DOH (drinking water) and DEC (wastewater) and aligned with federal EPA and CISA guidance. Incident reporting and operator training apply now; the IT rules took effect January 1, 2026; the core OT rules take effect January 1, 2027.
- A formal cybersecurity program aligned with the six functions of NIST CSF 2.0.
- Annual vulnerability assessments, updated within 30 days of any major infrastructure change.
- A cyber asset inventory, authentication and access management, and network monitoring and logging.
- Incident reporting to DOH within 24 hours, vulnerability reporting within 48 hours.
- A tested incident response plan and cybersecurity training for certified operators.
Systems above 50,000 people must also appoint a designated cybersecurity lead and conduct continuous monitoring. For the full walkthrough, including the OT asset inventory method and the air-gap exemption, see the operator field guide.
How Access Gate covers the DOH and DEC requirements
What the rules ask for, and where an on-premise access layer meets it. Some items are yours to own, and we mark those plainly.
| Requirement | What NY requires | How Access Gate covers it | Coverage |
|---|---|---|---|
| Cyber asset inventory | Identify every device on the OT network | Agent-free discovery maps PLCs, HMIs, SCADA servers, and remote links from day one, including legacy gear that cannot run an agent. | Covered |
| Authentication & access management | Control who can reach critical systems | Every session is authenticated and tied to a named user. Operators and vendors reach only what they are authorized to, time-boxed and revocable. | Covered |
| Segmentation (IT/OT and within OT) | Separate the plant floor from the office network | Microsegmented enclaves enforced at the network level, without recabling or touching existing VLANs. | Covered |
| Monitoring & logging | Record activity on critical systems | Tamper-evident session records: identity, equipment, commands, duration. Usable by a SIEM or in an investigation. | Covered |
| Incident reporting (24h to DOH) | Report incidents within 24 hours of detection | The audit trail gives you the timeline to report accurately inside the window. It supports, but does not replace, the reporting process. | Partial |
| Annual vulnerability assessment | Assess, updated within 30 days of a major change | Visibility and asset data feed the assessment; the SECURE assessment grant is meant to pay for it. | Partial |
| Tested incident response plan | Keep operations running during an attack | Access Gate supports containment and evidence, but the plan and its testing are yours to own. | Out of Scope |
| Operator training | Cybersecurity training for certified operators | Outside the product scope. Delivered through your certification and EFC's no-cost technical assistance. | Out of Scope |
Coverage reflects a typical deployment. Confirm scope for your system with the Trout team.
Go deeper on water OT compliance
Guides, architecture, and field-tested playbooks for water and wastewater operators preparing for the DOH and DEC deadline.
New York rules
Securing water OT
The architecture
New York water cybersecurity, answered
2027 OT deadline
Any community water system serving more than 3,300 people. The rules, from the Department of Health (DOH) for drinking water and the Department of Environmental Conservation (DEC) for wastewater, cover about 318 public water systems, most in the 3,300 to 50,000 population band. Systems above 50,000 carry additional obligations. New York is the first state to finalize cybersecurity rules for public water and wastewater systems.
The core operational technology (OT) requirements from DOH and DEC take effect January 1, 2027. Information technology rules under the Public Service Commission took effect January 1, 2026. Incident reporting and operator training obligations apply immediately on adoption. Because the OT work takes months, systems should start well ahead of 2027.
A formal cybersecurity program aligned with the six functions of NIST CSF 2.0; annual vulnerability assessments; a cyber asset inventory with authentication, access management, and network monitoring and logging; incident reporting to DOH within 24 hours and vulnerability reporting within 48 hours; a tested incident response plan; and cybersecurity training for certified operators. Systems above 50,000 also need a designated cybersecurity lead and continuous monitoring.
Yes. The SECURE grant, administered by the Environmental Facilities Corporation (EFC) and funded at $2.5 million, has an assessment track of up to $50,000 with no match and an implementation track of up to 20 percent of net eligible costs, capped at $100,000. The grant funds security equipment you own and install; subscription-based software is not eligible. EFC's Community Assistance Teams offer free assessments and can flag the next round.
Put one protective layer in front of the control equipment instead of software on every device. It authenticates who is asking, enforces what each user or device can reach, keeps PLCs off the open network, and produces tamper-evident records. This meets the identify, protect, detect and respond functions the rules ask for, with no agent on legacy PLCs, no plant rebuild, and no dedicated OT security engineer, running with your existing IT support.
Meet the January 1, 2027 deadline with the staff you have
No agent on your PLCs, no plant rebuild, no dedicated OT security engineer. Grant-eligible as equipment, deployable in about three weeks.