What New York’s New Water System Cyber Rules Mean for Your Utility (and How to Use SECURE Grant Funding)

New York water system cybersecurity: what the new rules require

The DEC and DOH now require all water and wastewater utilities in New York state to follow basic cybersecurity standards. The goal is ongoing protection, not just one-time checklists, and these rules line up with federal guidelines.

Here’s what water and wastewater utilities need to do:

• Conducting risk-informed cybersecurity activities across IT and OT/SCADA environments, including treatment, distribution, and control systems.
• Providing mandatory cybersecurity training for certified operators as part of their ongoing credential requirements.
• Reporting cybersecurity incidents within specified timeframes, including for SPDES-permitted wastewater facilities.
• Implementing risk-based, tiered protections for critical operations and sensitive information, such as access controls, segmentation, and secure remote access.
• Designating a cybersecurity lead for larger drinking water systems to own governance and oversight.

Wastewater utilities must report any cybersecurity incidents to the Regional Water Engineer within 24 hours. A written report is due within 30 days. These rules mean utilities need to keep up regular policies, monitoring, training, and reporting; not just do a one-time project.

How the SECURE grant program works in New York

To help utilities pay for these new cybersecurity requirements, New York created the SECURE grant program. The state is offering about $2.5 million in grants, managed by the Environmental Facilities Corporation.

Here’s how the SECURE grant works:

• Up to $50,000 per eligible utility for a cybersecurity assessment for water utilities and wastewater systems.
• Up to $100,000 per eligible utility to implement cybersecurity upgrades that address identified gaps.

All water and wastewater utilities in New York can apply starting March 2026. Check the official program site for deadlines and details. If you get funding, be ready to show your work is well-planned, risk-based, and clearly documented for regulators.

For additional program details, utilities should review the official SECURE grant announcement from EFC and DEC’s wastewater cybersecurity resources.

Immediate action steps for New York utilities (and how JANUS can help)

With SECURE funding, your utility can build a strong, practical cybersecurity program. Here are seven steps, each one supported by JANUS Associates’ expertise.

1. Clarify your regulatory scope and risk profile

Action: Inventory IT and OT/SCADA assets, identify which plants, remote sites, and SPDES-permitted operations fall under the New York cybersecurity regulations for utilities, and assess your current cyber maturity.

JANUS: Our cybersecurity experts provide cyber risk and compliance assessments aligned to NIST Cybersecurity Framework, CIS Controls, and ISO 27001, with clear, audit-ready documentation for state regulators, boards, and municipal leadership.

2. Apply for SECURE funding with a structured assessment plan

Action: Build a scoped, defensible proposal for how SECURE’s $50,000 dollar assessment allocation will be used, including methodology, systems to be evaluated, and concrete deliverables.

JANUS: Designs grant-funded cybersecurity assessments aligned to NIST CSF and CIS Controls, with transparent scoping, milestones, and reporting that support EFC review and local governance expectations.

3. Perform a comprehensive IT and OT/SCADA risk and control assessment

Action: Evaluate OT and SCADA security across treatment plants, distribution systems, telemetry, and remote sites, as well as corporate IT, identity, remote access, and vendor connectivity.

JANUS: Our OT and SCADA security services review and assess industrial control architectures, segmentation, access control, and monitoring, translating OT and SCADA security realities into actionable, standards-aligned improvements.

4. Build a prioritized security roadmap aligned to SECURE upgrade dollars

Action: Turn your assessment into a step-by-step plan that addresses the biggest risks first and fits your SECURE grant budget.

JANUS: Our team develops security architecture and roadmaps aligned with NIST CIS and ISO 27001 cybersecurity controls, tying specific control implementations to risk reduction, regulatory expectations, and available grant and local funding.

5. Implement security upgrades that qualify for grant funding

Action: Use SECURE grant funds for upgrades that truly reduce your risks, such as segmenting networks, creating and testing reliable backups, and implementing advanced methods to detect and respond to attacks.

JANUS: We help you implement a resilient security architecture, providing hands-on design guidance, configuration guidance, and vendor coordination while remaining vendor-neutral and focused on measurable risk-reduction outcomes.

6. Formalize governance, training, and leadership

Action: Establish or update cybersecurity policies, incident response plans, operator cyber training, and regular reporting to boards and municipal leaders, including procedures for SPDES incident reporting timelines.

JANUS: Through virtual CISO and cybersecurity governance support, JANUS helps utilities formalize governance structures, define the cybersecurity lead role, design operator training, and run tabletop exercises aligned to DEC/DOH and NIST expectations.

7. Plan for continuous improvement and re-assessment

Action: Treat SECURE-funded work as the start of a recurring risk lifecycle, with scheduled reassessments, vulnerability management, and periodic training updates.

JANUS: Many clients opt for an ongoing vCISO engagement, recurring assessments, and continuous vulnerability and risk management. This helps utilities demonstrate sustained program maturity over time.

For more on JANUS capabilities, review cyber risk and compliance assessments from JANUS Associates.

Why JANUS Associates is the right partner for New York utilities

JANUS Associates is a long-standing, New York–based, vendor-neutral cybersecurity and risk management firm with deep experience in public utilities, critical infrastructure, and regulated sectors. JANUS already supports water and wastewater utilities and other SCADA/OT operators, bridging the realities of treatment plants and field operations with governance and compliance expectations at the board and regulator level. 

Assessments and roadmaps from JANUS are anchored in widely recognized frameworks such as the NIST Cybersecurity Framework, CIS Critical Security Controls, and ISO 27001, making it easier to defend investment decisions and demonstrate alignment with best practices. By focusing on risk-based, standards-aligned outcomes rather than specific products, JANUS helps utilities use SECURE grant dollars efficiently while building sustainable, right-sized programs.