Login

Natsar Cybersecurity Insights

Water and wastewater cybersecurity illustration showing secure infrastructure and data protection in New York.

  • Oct 15, 2025

Getting Ready for New York’s Water Cybersecurity Rules

Turn New York’s new water cybersecurity rules into an action plan. Natsar helps utilities assess, train, and comply efficiently and affordably.

Subscribe To Get Notified of New Content!

Your information stays with Natsar—we never sell it or share it.

Intended Audience: Municipal leaders, water and wastewater utility managers, and IT professionals responsible for operational continuity, risk management, or compliance with DOH and DEC cybersecurity rules.

New York’s proposed cybersecurity rules for drinking water and wastewater systems are moving closer to adoption. Once finalized, compliance timelines begin almost immediately—with some requirements taking effect the day the rules are adopted.

If you manage or operate a community water system or a publicly owned treatment works (POTW), the next two years are critical for preparing your cybersecurity program, staff, and systems.

This guide turns regulatory language into a practical, step-by-step plan to help you move from awareness to action — without breaking your budget.

⚙️ Whether you serve 3,300 residents or 300,000, now is the time to start planning for compliance.

Understand Where You Stand

The first step toward compliance is understanding your current cybersecurity posture. Both the Department of Health (DOH) and the Department of Environmental Conservation (DEC) require systems to perform risk-based assessments—but how you start matters.

Conduct or Update a Cybersecurity Vulnerability Analysis (CVA)

  • Review your last CVA and update it to include operational technology (OT) and nonpublic information that could affect operations.

  • For DOH-regulated systems, CVAs must be done annually and within 30 days of major infrastructure changes.

  • Document your findings, vulnerabilities, and mitigation plans — these records will form the backbone of your compliance documentation.

Know Your Connectivity

  • Identify all physical and logical connections between IT and OT environments.

Systems with no IT/OT connectivity may qualify for limited exemptions under the DOH and DEC rules.

Build a Compliance Roadmap

Once you’ve identified your current cybersecurity posture, create a plan to meet regulatory timelines. 

A three-phase roadmap ensures you stay ahead of the 2026–2027 deadlines.

Phase 1: Immediate (Next 3–6 Months)

  • Incident Reporting: Establish clear procedures for reporting incidents to DOH (within 24 hours) or DEC (oral within 24 hours, written within 30 days).

  • Training: Identify certified operators who need cybersecurity training and schedule sessions.

  • Vulnerability Reporting: For DOH systems, ensure vulnerabilities identified in CVAs are reported within 48 hours of discovery.

  • Policy Updates: Integrate cybersecurity incident response into your existing emergency response plans.

Phase 2: Medium-Term (2025–2026)

  • Conduct and document annual CVAs.

  • Begin implementing risk-based improvements based on assessment findings.

  • Develop or refine asset inventories and network diagrams.

  • Validate backups, network monitoring, and recovery procedures.

Phase 3: Long-Term (By January 2027)

  • Complete full implementation of required cybersecurity controls:

    • DOH: Appendix 5-E

    • DEC: 6 NYCRR 750-2.9

  • Conduct tabletop exercises and mock incident response drills.

  • Ensure all staff certifications and training hours are up to date.

Leverage Free and Low-Cost Resources

New York State and federal agencies have made valuable resources available to help utilities strengthen cybersecurity at minimal cost.

Some key programs include:

These resources provide a strong foundation — but they primarily focus on assessments, guidance, and planning. Implementation of security controls, training programs, and real-world response capabilities often falls to the utilities themselves.

That’s where Natsar comes in.

Check Out Natsar's Library of Free Cybersecurity Training

Partnering with Natsar for Implementation

As a New York Capital Region-based cybersecurity firm, Natsar brings unmatched public-sector experience and hands-on support to water and wastewater utilities statewide.

With a principal who previously led the Multi-State Information Sharing and Analysis Center (MS-ISAC) at the Center for Internet Security (CIS), Natsar understands the unique challenges public entities face when balancing security, operations, and compliance.

How Natsar Helps

Choosing Natsar means working directly with a local, experienced, and trusted partner who understands both the technical and regulatory landscapes — and can help you comply efficiently and affordably.

💧 Let’s build your compliance roadmap together.
Schedule a free readiness consultation with Natsar

Funding and Cost Feasibility—Turning Mandates Into Managed Investments

New York acknowledges the cost and workload of cybersecurity, especially as utilities face other rule changes. Both DOH and DEC emphasize flexibility and available assistance.

New York State funding opportunities

  • Cybersecurity Grant Program: The Environmental Facilities Corporation (EFC) will administer $2.5M in cybersecurity grants to support compliance.

  • Infrastructure funding: The state continues to invest hundreds of millions of dollars in water/wastewater infrastructure that supports public health priorities.

  • Grant strategy: POTWs are encouraged to use the one-year delay for core controls to seek grants and no-cost technical assistance from state and federal programs.

Note: Funding will not cover all costs. Utilities should plan for remaining expenses via local budgets, rate adjustments, or other means.

Estimated annual compliance costs

  • DOH drinking water systems

    • 3,300–50,000 served: $0–$150,000/year

    • >50,000 served: up to $5,000,000/year

    • Key drivers: asset inventory tools/consulting ($0–$24,500 for <100 assets; up to $135,000 for 500–1,000 assets); monitoring/logging for large systems ($0–$54,000/year).

  • DEC wastewater (POTWs)

    • Small (1–10 employees): $0–$15,000/year

    • Medium (10–100 employees): up to ~$93,934/year

    • High-end estimates assume the most expensive commercial tool for every control—DEC notes this is unlikely and deems the rules economically and technologically feasible.

Cost mitigation & ROI

  • Public-sector data breach costs can reach ~$2.6M; risk-based investments offer strong ROI.

  • Agencies encourage flexible mixes of open-source, low-cost, and commercial tools, plus consultants and/or managed service providers.

  • For smaller systems, using contracted cybersecurity professionals—like Natsar’s vCISO Service—meets leadership, reporting, and governance requirements without full-time overhead.

Bottom Line

The path to compliance doesn’t have to be overwhelming. Start early, focus on immediate requirements, and build momentum toward full implementation.

With the right guidance and a tailored plan, New York’s new cybersecurity mandates can be an opportunity to strengthen both security and reliability across the state’s water systems.

What’s Next

This post focused on what New York’s proposed cybersecurity rules mean for water and wastewater utilities—breaking down the costs, timelines, and practical steps to begin preparing.

In our next article, we’ll show how Natsar can help utilities across the state meet every requirement efficiently and affordably. From vulnerability assessments and incident response planning to training, monitoring, and virtual CISO (vCISO) services, Natsar provides the expertise and flexibility to make compliance achievable for organizations of any size.

→ Read Part 4: How Natsar Can Help Utilities Get Compliant (and Stay Secure)

Subscribe to Natsar's Blog for more practical guidance, expert tips, and resources.If you found this helpful, please share your thoughts in the comments section. Your engagement guides future content!

0 comments

Sign upor login to leave a comment