The DEC and DOH now require all water and wastewater utilities in New York state to follow basic cybersecurity standards. The focus is sustained protection rather than a one-time exercise, and these requirements align with federal cybersecurity guidance.
Here’s what water and wastewater utilities need to do:
Wastewater utilities must report any cybersecurity incidents to the Regional Water Engineer within 24 hours. A written report is due within 30 days. These rules mean utilities need to keep up regular policies, monitoring, training, and reporting; not just do a one-time project.
To help utilities pay for these new cybersecurity requirements, New York created the SECURE grant program. The state is offering about $2.5 million in grants, managed by the Environmental Facilities Corporation.
Here’s how the SECURE grant works:
All water and wastewater utilities in New York can apply starting March 2026. Check the official program site for deadlines and details. If you get funding, be ready to show your work is well-planned, risk-based, and clearly documented for regulators.
For additional program details, utilities should review the official SECURE grant announcement from EFC and DEC’s wastewater cybersecurity resources.
With SECURE funding, your utility can build a strong, practical cybersecurity program. Here are seven steps, each one supported by JANUS Associates’ expertise.
Action: Inventory IT and OT/SCADA assets, identify which plants, remote sites, and SPDES-permitted operations fall under the New York cybersecurity regulations for utilities, and assess your current cyber maturity.
JANUS: Our cybersecurity experts provide cyber risk and compliance assessments aligned to NIST Cybersecurity Framework, CIS Controls, and ISO 27001, with clear, audit-ready documentation for state regulators, boards, and municipal leadership.
Action: Build a scoped, defensible proposal for how SECURE’s $50,000 dollar assessment allocation will be used, including methodology, systems to be evaluated, and concrete deliverables.
JANUS: Designs grant-funded cybersecurity assessments aligned to NIST CSF and CIS Controls, with transparent scoping, milestones, and reporting that support EFC review and local governance expectations.
Action: Evaluate OT and SCADA security across treatment plants, distribution systems, telemetry, and remote sites, as well as corporate IT, identity, remote access, and vendor connectivity.
JANUS: Our OT and SCADA security services review and assess industrial control architectures, segmentation, access control, and monitoring, translating OT and SCADA security realities into actionable, standards-aligned improvements.
Action: Turn your assessment into a step-by-step plan that addresses the biggest risks first and fits your SECURE grant budget.
JANUS: Our team develops security architecture and roadmaps aligned with NIST CIS and ISO 27001 cybersecurity controls, tying specific control implementations to risk reduction, regulatory expectations, and available grant and local funding.
Action: Use SECURE grant funds for upgrades that truly reduce your risks, such as segmenting networks, creating and testing reliable backups, and implementing advanced methods to detect and respond to attacks.
JANUS: We help you implement a resilient security architecture, providing hands-on design guidance, configuration guidance, and vendor coordination while remaining vendor-neutral and focused on measurable risk-reduction outcomes.
Action: Establish or update cybersecurity policies, incident response plans, operator cyber training, and regular reporting to boards and municipal leaders, including procedures for SPDES incident reporting timelines.
JANUS: Through virtual CISO and cybersecurity governance support, JANUS helps utilities formalize governance structures, define the cybersecurity lead role, design operator training, and run tabletop exercises aligned to DEC/DOH and NIST expectations.
Action: Treat SECURE-funded work as the start of a recurring risk lifecycle, with scheduled reassessments, vulnerability management, and periodic training updates.
JANUS: Many clients opt for an ongoing vCISO engagement, recurring assessments, and continuous vulnerability and risk management. This helps utilities demonstrate sustained program maturity over time.
For more on JANUS capabilities, review cyber risk and compliance assessments from JANUS Associates.
JANUS Associates is a long-standing, New York–based, vendor-neutral cybersecurity and risk management firm with deep experience in public utilities, critical infrastructure, and regulated sectors. JANUS already supports water and wastewater utilities and other SCADA/OT operators, bridging the realities of treatment plants and field operations with governance and compliance expectations at the board and regulator level.
Assessments and roadmaps from JANUS are anchored in widely recognized frameworks such as the NIST Cybersecurity Framework, CIS Critical Security Controls, and ISO 27001, making it easier to defend investment decisions and demonstrate alignment with best practices. By focusing on risk-based, standards-aligned outcomes rather than specific products, JANUS helps utilities use SECURE grant dollars efficiently while building sustainable, right-sized programs.
SECURE grant applications are open, and new rules are coming soon. Act quickly but make sure you have a clear plan. A short consultation can help you understand the rules, set up a grant-eligible assessment, and create a plan that makes the most of SECURE funding.