New standards and funding programs aim to protect drinking water and wastewater systems from growing cyber threats
Albany, New York, 17 March 2026 – New York State has introduced new cybersecurity regulations designed to protect drinking water and wastewater systems from digital threats. Officials describe the move as the first regulatory framework of its kind in the United States, setting mandatory cybersecurity standards for water utilities while also providing financial support to help operators meet the new requirements.
The initiative was announced as part of a broader effort to strengthen critical infrastructure protection. As water systems increasingly rely on digital technologies and internet-connected control systems, experts have warned that these systems may become targets for cyberattacks.
To address these concerns, New York’s Department of Environmental Conservation and Department of Health developed new regulations that establish minimum cybersecurity standards for utilities across the state. The rules follow a public consultation process that began in 2025.
The new framework introduces several key requirements aimed at improving cybersecurity readiness in water infrastructure. Utilities will now need to conduct regular cybersecurity risk assessments, provide training for certified operators, and report cybersecurity incidents within strict timelines. Larger water systems will also be required to appoint a designated cybersecurity lead responsible for overseeing security practices.
The regulations are designed to be risk-based and scalable. This means that requirements vary depending on the size and complexity of each water system. Smaller facilities will follow baseline security standards, while larger utilities will face additional obligations such as continuous network monitoring and enhanced reporting procedures.
To support utilities in implementing these measures, New York State has also launched a funding initiative called the SECURE program, which stands for Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements. The program will provide $2.5 million in initial funding to help water systems improve their cybersecurity capabilities.
Through the SECURE program, utilities can apply for grants of up to $50,000 to conduct cybersecurity risk assessments. They may also receive up to $100,000 for technology upgrades, system improvements, and other cybersecurity investments. The Environmental Facilities Corporation will oversee the grant program and provide technical support through a dedicated cybersecurity assistance hub.
The regulations include specific requirements for drinking water systems. Community water systems serving more than 3,300 residents must conduct annual cybersecurity vulnerability assessments and report any detected cyber incidents within 24 hours. They must also establish a formal cybersecurity program and ensure operators receive basic cybersecurity training.
Larger water systems that serve more than 50,000 residents must implement additional protections. These include appointing a cybersecurity lead with relevant expertise, submitting annual cybersecurity reports to their governing body, and implementing continuous network monitoring to detect potential threats.
Wastewater treatment systems will also follow new cybersecurity rules. Publicly owned treatment facilities must introduce stronger access control measures, including multi-factor authentication and the removal of default system credentials. They must also create vulnerability management processes and ensure that operational technology networks are separated from external digital systems.
Facilities that process 10 million gallons of wastewater per day or more will face stricter monitoring requirements. These systems must implement continuous network monitoring and logging unless their operational technology systems are fully isolated from their information technology networks.
The new regulations will be introduced gradually to allow utilities time to adapt. Certain requirements, such as cybersecurity training and incident reporting, will take effect soon after adoption. Full compliance with the complete framework will be required by 2027.
The cybersecurity initiative forms part of a wider investment strategy focused on improving water infrastructure across New York State. In the 2025 fiscal year, the state allocated $3.8 billion in financial support for local water infrastructure projects. Looking ahead, the state has also proposed a long-term investment plan worth $3.75 billion aimed at modernizing water systems and strengthening resilience.
As cyber risks continue to evolve, experts say that protecting critical infrastructure like water systems is becoming increasingly important. New York’s new cybersecurity framework highlights how governments and utilities are working together to improve digital security, safeguard essential services, and ensure the reliability of water infrastructure for communities.