The New York State Department of Environmental Conservation (DEC) has adopted comprehensive amendments to parts 616, 650, and 750 of Title 6 NYCRR with the primary goal of safeguarding New York’s water infrastructure. These regulations stem from Governor Kathy Hochul's directive in January 2025 to establish minimum cybersecurity standards for water and wastewater utilities. The main objectives include mandating cybersecurity incident reporting for State Pollutant Discharge Elimination System (SPDES) permittees, requiring emergency response planning and specific cybersecurity controls for Publicly Owned Treatment Works (POTWs), and ensuring certified wastewater operators receive cybersecurity training. The overarching aim is to protect the environment, including water quality, from the increasing number and sophistication of cyber threats that could lead to the discharge of untreated or partially treated sewage into communities and state waters.

POTWs are mandated to establish, maintain, and implement a range of cybersecurity controls based on documents accepted by the DEC, including EPA guidance and the NIST Cybersecurity Framework. These controls include:

• Access Control and Authentication: Written rules and procedures consistent with the principle of least privilege, addressing password security, complexity, and management. Multi-factor authentication is required for remote access to operational technology (OT), and preset or default credentials are disallowed. These rules must be reviewed at least annually by March 28, and updated within 90 days after a cybersecurity incident, assessment, or audit.

• Cybersecurity Vulnerability Management Process: A written process including a cyber asset inventory (OT and connected IT assets), identification of known vulnerabilities, risk assessment based on likelihood and consequences of exploitation, prioritization of vulnerabilities, and mitigation/remediation actions. This process must be reviewed at least annually by March 28, and updated when assets are added/decommissioned or new vulnerabilities are identified.

• Secure Network Structure: A written description of the network structure that protects OT by either physically and logically separating it from IT and external networks, or by securing necessary connections with appropriate cybersecurity controls.

• Network Monitoring and Logging (for larger POTWs): POTWs with a design flow of 10 MGD or more must implement, manage, and maintain procedures, products, and/or services that monitor and log network activity. This requirement has exceptions for facilities with no physical/logical connections between OT and IT/external networks, or those using devices that only allow data to travel unidirectionally from operational technology for alarms, notifications, or communications.

• Cybersecurity Incident Response Plan (IRP): POTWs must establish, maintain, and implement an IRP, which can be an existing plan meeting specific criteria or one based on accepted templates like the EPA's Incident Action Checklist—Cybersecurity or the Drinking Water and Wastewater Systems Cybersecurity Incident Response Plan Template Instructions. This IRP must be incorporated into the broader Emergency Response Plan (ERP).

All SPDES permittees are mandated to report cybersecurity incidents promptly. An initial report must be made online to the DEC as soon as possible, but no later than 24 hours from the time the permittee becomes aware of the incident. After completing the online reporting form, the permittee must immediately notify their Regional Water Engineer (RWE) or Regional Water Manager (RWM) orally (or contact DEC Dispatch if the RWE/RWM is unreachable). This 24-hour report must include, to the extent known at the time, details such as the date and time of discovery, the person who discovered it, a brief description of the incident, whether IT, OT, or both were impacted, and any disruption or anticipated disruption to normal operations.

A more comprehensive written report must then be submitted online within 30 days of becoming aware of the incident. This 30-day online report requires detailed information including the date and time of discovery, the discoverer, a brief description, impact on IT/OT, description of operational disruptions (or lack thereof), expected duration of disruption, description of any loss or damage to SPDES program data, OT, or the sewer system/treatment facility, and measures taken or planned for remediation/mitigation.

For wastewater operators, sections 650.8 and 650.12 of the adopted regulations require certified operators to complete a minimum number of training hours on cybersecurity to renew their certification every five years. This training does not add to the existing total number of required renewal hours. Grades 1 and 1A, and 2 and 2A operators need 2 hours of cybersecurity training, while Grades 3 and 3A, and 4 and 4A operators need 4 hours. These requirements will apply to all certifications expiring on or after January 1, 2027.

For drinking water operators, all certified operators under Subpart 5-4 are required to complete a minimum of one hour of cybersecurity training every three years. The curriculum for this training must be approved by the Department of Health. This requirement became effective immediately upon adoption of the regulation.

The regulations introduce specific definitions to clarify reportable events:

• Cybersecurity Event: This is broadly defined as "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse the permittee’s operational or information technology or SPDES program data."

• Cybersecurity Incident: This is a subset of cybersecurity events that are deemed reportable to the department. A cybersecurity event becomes an "incident" if it, directly or indirectly:

  • Has an adverse impact on the normal operations of the permittee’s sewer system or treatment facility.

  • Has a reasonable likelihood of harming any part of the normal operations of the permittee’s sewer system or treatment facility.

  • Compromises the confidentiality, integrity, or availability of SPDES program data or results in loss or damage to the permittee’s sewer system or treatment facility.

  • Delays or prevents the permittee from complying with all provisions of its SPDES permit.

Essentially, all incidents are events, but only events that meet the criteria of having a significant actual or likely adverse impact on operations, data, or permit compliance are considered reportable incidents.

The costs for compliance vary significantly based on the size and existing cybersecurity maturity of the entity.

For Publicly Owned Treatment Works (POTWs): Note: The state's cost estimates for POTWs represent purchasing or service costs and do not include internal labor costs.

• Definitions and References: $0

• Access Control and Authentication: Can range from $0 to $388,728 annually for larger enterprises (100-999 employees), depending on tools chosen for identity management and multi-factor authentication.

• Vulnerability Management Process (including cyber asset inventory): Can range from $0 to $64,746 annually for larger enterprises, with smaller systems having lower costs. The costs depend on the level of automation and whether new tools are purchased.

• Secure Network Structure: Can range from $0 to $269,263 annually for larger enterprises, depending on configuration management tools and firewall needs.

• Network Monitoring and Logging: Can range from $0 to $54,000 annually for larger enterprises, heavily influenced by log volume, storage duration, and chosen tools (e.g., free options like CISA's Logging Made Easy can reduce costs for smaller utilities).

The total annual cybersecurity costs for POTWs typically represent 17%-20% of an overall IT budget.

For Public Water Systems (PWS):

• Systems serving 3,300 to 50,000 people: Cybersecurity costs are estimated to be 0−150,000 per year.

• Systems serving more than 50,000 people: Cybersecurity costs are estimated to be 0−5,000,000 per year.

• Cyber Asset Inventory: For systems with less than 100 assets, 0−24,500 annually; for systems with 500-1000 assets, 0−135,000 annually.

• Qualified Executive (for systems >50,000 people): Most large systems are anticipated to already have such a professional, so additional costs might be minimal.

• Monitoring and logging network activities (for systems >50,000 people): Estimated between 0−54,000 per year.

State Grant Funding Available: New York State has allocated $2.5 million in a new cybersecurity grant program through the Environmental Facilities Corporation (EFC) to support compliance. The SECURE grant program offers municipalities up to $50,000 for cybersecurity assessments and up to $100,000 for implementation upgrades. Applications are currently open and due by May 15, 2026. While this may not cover full costs, it provides critical support for local utilities.

Why did the Department of Environmental Conservation reject a voluntary compliance approach or mandating all EPA cybersecurity controls?

The DEC considered and rejected two alternative approaches:

• Voluntary Compliance: This approach was deemed insufficient because it would likely lead to inconsistent implementation of protections, leaving some facilities highly vulnerable. It would also result in a lack of accountability and might allow facilities to ignore growing cyber threats. Given the increasing sophistication of cyber threats, delaying mandatory action was considered irresponsible.

• Mandating All EPA Cybersecurity Controls: This alternative was rejected due to concerns about imposing an undue economic burden on the regulated community. While EPA guidance is valuable, requiring every recommended control could lead to excessive costs, potential non-compliance, and operational challenges for many water and wastewater systems. The adopted regulations aim for a balanced approach, selecting minimum controls that are both effective and financially sustainable for the diverse range of regulated entities, ensuring feasible cybersecurity improvements.

The compliance schedule varies slightly depending on the specific requirement and the type of system:

• For wastewater treatment facilities (POTWs and SPDES permittees):

  • Incident reporting requirements for cybersecurity incidents went into effect on March 26, 2026.

  • The cybersecurity training requirements for certified wastewater operators apply to all certifications that expire on or after January 1, 2027.

  • The majority of the broader cybersecurity controls and emergency response planning requirements go into effect exactly one year after adoption, on March 11, 2027. The annual certifications for compliance with the Emergency Response Plan and cybersecurity controls are then due annually by March 28 (with the first certification due March 28, 2027).

• For public water systems:

  • Sections 5-E.7 (cybersecurity training for operators) and 5-E.9 (cybersecurity incident notification) became effective immediately upon adoption of the regulation.

  • All other requirements for covered water systems must be complied with by January 1, 2027.

  • Operators must complete the required training by the end of their first full registration cycle following the effective date of the regulation.