New York State has introduced what officials describe as the first regulations of their kind in the United States, establishing mandatory cybersecurity standards for drinking water and wastewater systems alongside a dedicated funding programme to support compliance.
Announced by Governor Kathy Hochul, the regulations finalise a process that began in mid-2025, when the Department of Environmental Conservation (DEC) and Department of Health (DOH) published draft rules for public consultation. The initiative responds to growing concerns about digital vulnerabilities in water infrastructure as operators increasingly depend on internet-connected control systems.
The new threat-informed, risk-centric, and cost-balanced minimum standards include:
- Mandatory cybersecurity training for certified operators
- Cybersecurity incident reporting requirements to ensure timely disclosure of breaches
- Risk-based tiered standards to protect critical operations and sensitive information
- Designation of a cybersecurity lead role at larger drinking water systems
The timing of the regulations is noteworthy. The ongoing conflict in the Middle East has heightened concerns about cyberattacks on critical infrastructure, with water systems among the exposed sectors. A group of ten information sharing organisations, including the Water Information Sharing and Analysis Center, recently issued a joint advisory warning of an increasingly volatile threat environment and the growing risk of attacks from hostile state-sponsored actors and aligned groups.
To ease the financial burden on local authorities — many of which operate on constrained budgets — the state is launching the SECURE (Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements) grant programme, backed by USD 2.5 million in initial funding. Utilities can apply for up to USD 50,000 to conduct cybersecurity assessments and up to USD 100,000 to fund subsequent upgrades.
State Director of Security and Intelligence Colin Ahern underlined the ambition behind the dual approach: "By pairing nation-leading standards with the SECURE grant programme, we are providing New York's water sectors with the intelligence-driven framework and the muscle they need to preemptively harden our most vital systems against sophisticated global adversaries."
The Environmental Facilities Corporation will administer the grants and provide no-cost technical assistance through its dedicated Cybersecurity Hub. The framework aligns with federal guidance from both the Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency.
The regulations set out distinct requirements for drinking water and wastewater systems, with obligations scaled to the size and complexity of each facility. Utilities will have a transition period to comply with the new rules, with full implementation required by 2027, while certain reporting and training obligations take effect immediately following adoption.
Drinking water systems (regulated by DOH)
All community water systems serving more than 3,300 people must comply with the following:
- Annual cybersecurity vulnerability assessments, updated within 30 days of any major infrastructure change
- Incident reporting to DOH within 24 hours of detection; vulnerability reporting within 48 hours
- Basic cybersecurity training for certified operators
- Development and maintenance of a formal cybersecurity programme
Systems serving more than 50,000 people face additional requirements:
- Appointment of a designated cybersecurity lead with relevant knowledge and experience
- Annual confidential reporting to the utility's governing body
- Continuous network monitoring and logging for systems serving more than 50,000 people
Wastewater systems (regulated by DEC)
Core technical controls apply to all Publicly Owned Treatment Works (POTWs), with full implementation due one year after the regulation's adoption:
- Incident reporting: verbal notification within 24 hours, followed by a written report within 30 days
- Access control procedures including multi-factor authentication and prohibition of default credentials
- A documented vulnerability management process
- Network architecture that isolates operational technology from external systems
- Cybersecurity training integrated into existing operator certification renewals
POTWs with a design flow of 10 million gallons per day or more must additionally implement continuous network monitoring and logging, unless operational and information technology systems are fully separated.
Beyond cybersecurity, the new regulations sit within a broader state commitment to water infrastructure investment, with New York allocating USD 3.8 billion in financial assistance for local water projects in the 2025 fiscal year alone. Looking ahead, Governor Hochul's 2026 State of the State address outlined a transformational USD 3.75 billion water infrastructure investment plan.
