The National Institute for Standards and Technology (NIST) defines cybersecurity as protecting computer systems and electronic equipment from harm, making sure they work properly, and being able to restore them if something goes wrong. The goal is to keep systems available, accurate, secure, and reliable.

For water systems, this means protecting any computer-based or electronically operated equipment from unauthorized access, misuse, or damage. This includes control systems, pumps, valves, and data. These systems must remain safe, dependable, and able to operate without interruption.

Many control systems are now connected to internal and external networks. These systems are critical to operating the processes that deliver safe drinking water to communities. A cyberattack can damage equipment or change chemical dosing, which can create serious public health and safety risks.

Some common weak points in water systems can include:

• Older computer systems or equipment that no longer receive updates
• Shared or default passwords;
• Remote access that is not properly protected;
• Staff accidentally connecting work systems to unsafe networks or devices; and
• Computer systems that are too closely connected to operational equipment.

It can be hard to tell when a cybersecurity incident is happening, but there are some common warning signs to watch for:

• The system is running differently than expected or operating at unusual settings
• Screens or controls are slow, frozen, or not responding
• Warning lights, alarms, or shutdowns occur without a clear reason
• Changes to equipment or software that no one can explain

If something doesn’t look right or you’re unsure about a situation, report it through your normal chain of command.

Below are some simple and cost-effective ways to help secure your systems:

• Use strong, unique passwords and enable multi-factor authentication where possible
• Separate business (IT) systems from operational (OT) systems to limit how data moves between them
• Limit and carefully control remote access
• Handle removable media, such as USB drives, with care and clear procedures
• Regularly back up system settings, logic, and configuration files

Community water systems serving more than 3,300 people must comply with the Appendix 5-E cybersecurity requirements. Systems serving more than 50,000 people have additional requirements (see below).

The cybersecurity incident reporting and cybersecurity training requirements for the covered community water systems go into effect immediately upon adoption. Operators shall complete the training by the end of the first full registration cycle for an individual operator following the effective date of the regulation. Covered community water systems will have until January 1, 2027 to become compliant with the additional requirements.

If your community water system serves more than 3,300 people, you must:

• Develop and implement a Cybersecurity Program;
• Review and update a Cybersecurity Vulnerability Analysis (CVA) annually or in the event of a major water infrastructure change;
• Report identified cybersecurity vulnerabilities that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1 or that identify a situation that may pose a risk to public health, within 48-hours to the New York State Department of Health (the Department);
• Begin or complete mitigation of vulnerabilities that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1, or that identify a situation that may pose a risk to public health, within 120-days;
• Verify that drinking water operators are trained in basic level cybersecurity;
• Report cybersecurity incidents that may impact the covered water system’s ability to comply with the requirements of Subpart 5-1, or that identify a situation that may pose a risk to public health, to the Department within 24-hours; and
• Be able to recover from cybersecurity incidents using an incident response plan.

If your system serves more than 50,000 people, you must also:

• Designate an individual deemed qualified by the covered water system’s owner, with demonstrable knowledge of cybersecurity principles and practical experience in system protection or risk management, to be the individual responsible for the system’s cybersecurity program;
• Have the designated individual certify that the system’s cybersecurity program meets the Department’s cybersecurity requirements, using a Department-approved form;
• Have the designated individual provide a confidential written report at least once per year to the system’s governing body (such as the board, council, trustees, or other oversight body) summarizing the cybersecurity program and any significant cybersecurity risks; and
• Monitor and log the water system’s network activity.

Partly, yes. A covered water system does not have to meet most of the cybersecurity requirements if its operational systems are completely isolated and have no physical or digital connections to information technology systems or external networks. Municipal billing systems and other information technology systems are also exempt, as long as they do not affect the water system’s ability to meet cybersecurity requirements. *Note: Exclusions do not apply to Section 5-E.7 (training), Section 5-E.8 (Emergency Response Plans) or Section 5-E.9 (Department reporting).

To request an exclusion, please submit an exclusion request form to TPP@health.ny.gov.

Emergency response plans and cybersecurity vulnerability analyses should continue to be submitted via the standard procedure in accordance with Subpart 5-1.33(e). To report a cybersecurity incident, please fill out our Cybersecurity Incident Report Form. To report a cybersecurity vulnerability, please contact TPP@health.ny.gov and provide only your name, system, contact phone number, and that you need to report a vulnerability. Please do not provide any specific details related to your vulnerability. Our Threat Prevention and Preparedness Unit will contact you for further information.

To support implementation, Governor Hochul launched the new $2.5 million Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements (SECURE) grant program, administered by EFC. Applications open 3/11/2026. Funding includes:

• Up to $50,000 for cybersecurity assessments
• Up to $100,000 to implement cybersecurity upgrades

EFC’s Community Assistance Teams are available to provide no-cost guidance and tools to help water and wastewater systems implement cybersecurity best practices. Communities can request one-on-one consultations, apply for the SECURE grant, and access centralized training and best practice resources on EFC’s Cybersecurity Hub.

Systems are encouraged to watch for future announcements regarding available funding opportunities. You may also visit the Environmental Protection Agency’s (EPA) Cybersecurity Funding resource page.

Currently, cybersecurity-specific eligibility does not exist under New York State’s Drinking Water State Revolving Fund (DWSRF). The DWSRF is primarily used to support drinking water infrastructure projects in public health priority. However, cybersecurity upgrades that align with a larger capital improvement project may be eligible. For more information, contact design@health.ny.gov.

No. Information reported for oversight and enforcement should be limited to the minimum necessary. Section 5-1.33(c) already requires submission of an analysis of vulnerability to cyber attack as part of the Water Supply Emergency Plan.

Note that Public Health Law §1125(9)(a) and 10 NYCRR 5-1.33(h) expressly provide that vulnerability assessments and information derived from them — including Cyber Vulnerability Analysis (CVA) — are exempt from disclosure under Article Six of the Public Officers Law. These materials are not subject to public release.

The PCII program applies to information voluntarily shared with the federal government concerning critical infrastructure security. It does not preempt the proposed regulation. Existing state law already provides protections against public disclosure of vulnerability analysis information.

Cybersecurity program requirements include:

• Access control procedures, including user privileges and roles such as:
  • Using multi-factor authentication (MFA). If MFA cannot be implemented, the authorized representative or designated individual must approve compensating controls;
  • Limiting user access privileges;
  • Separating user accounts for Operational Technology (OT) from Informational Technology (IT);
  • Providing unique credentials for OT when it is supported;
    • For systems serving >50,000 people, if this is not supported, the designated individual must approve compensating controls in writing
  • Annually reviewing access privileges;
  • Disabling remote access to OT unless it is necessary for system operation, and limiting access to only those individuals who require it;
  • Securely configuring all protocols that permit remote access to OT or non-public information;
  • Disallowing OT default passwords or having the authorized representative or designated individual approve compensating controls in writing; and
  • Completing a cyber asset inventory.
• Incident recovery plans
• Detection and incident response procedures
• A review schedule
• Designated individual contact information (for systems serving >50,000 people)
• Network activity and monitoring logs (for systems serving >50,000)

A Cybersecurity Program Template was created to assist water systems with program development.

A default password is a preset password that comes with a device, software, or system when it’s first installed. It’s meant to be temporary and should be changed immediately because default passwords are often easy to find or are widely known.

A CVA is a review of your system’s digital vulnerabilities. It should identify weaknesses in hardware, software, policies, and procedures that could be exploited by cyber threats.

The CVA must be reviewed and updated annually.

Do I have to submit the annual CVA update to the Department?

No. While the CVA must be reviewed and updated annually, an updated CVA is submitted to the Department once every five years as part of your Water Supply Emergency Response Plan submission, or within 30-days of a major infrastructure change. However, the Department may request the CVA for review at any time, and it should be readily available upon request.

A cybersecurity vulnerability is any weakness that, if exploited, could impair your ability to comply with Subpart 5-1 of the drinking water regulations or could cause a public health hazard. Please refer to Appendix 5-E (PDF) guidance documents to help identify reportable vulnerabilities.

A cybersecurity incident is any cyber event that disrupts, damages, or threatens your system’s operations or data — including the imposition of malware, ransomware, unauthorized access, or system shutdowns – and ability to comply with Subpart 5-1 of the drinking water regulations, potentially leading to a public health hazard, or the immediate risk of nonpublic information being exposed, changed, or made unavailable.

Cybersecurity incidents must be reported to the Department within 24-hours of detection, effective March 11, 2026. Report cybersecurity incidents using the Cybersecurity Incident Reporting Form.

• To report to multiple agencies at one time, select the agencies you want to report to and you will only have to answer the questions once. If you choose to report to multiple agencies, but at different times, you will be directed to answer the same questions each time.
• You must answer each question fully without referencing other answers. Never respond to a question with “see above" or “see below” as not all agencies selected to receive your report receive all answers upon submission.
• Each form must be completed and submitted in one session. To protect sensitive information, information cannot be saved and submitted at a later time and there is no way to edit the report after submission.

Cybersecurity vulnerabilities must be reported to the Department within 48-hours of identification, effective January 1, 2027.

To report a cybersecurity incident, please fill out our Cybersecurity Incident Report Form. To report a cybersecurity vulnerability, please contact TPP@health.ny.gov and provide only your name, system, contact phone number, and that you need to report a vulnerability. Please do not provide any specific details related to your vulnerability. Our Threat Prevention and Preparedness Unit will contact you for further information.

All certified drinking water operators are required to receive one-hour of cybersecurity awareness training every three years. There are no exclusions for this requirement.

New York State approved cybersecurity training for drinking water operators can be found on our Operator Certification (OpCert) website.

A cybersecurity vulnerability that affects your ability to remain compliant with Subpart 5-1, or poses the potential to create a public hazard, is considered a significant deficiency. You must correct, mitigate, or otherwise come into compliance with a corrective action plan for any identified cyber-related significant deficiencies within 120-days of discovery. Remediation could include patching software, changing configurations, updating, replacing or disconnecting hardware, or updating procedures.

A significant deficiency means a defect in a system’s design, operation or maintenance, or a failure or malfunction of its treatment, treatment, storage, or distribution, that causes or is reasonably expected to cause the introduction of contamination into water delivered to consumers. Significant deficiencies also include loss of ability to deliver an adequate quantity of water; inadequate barriers of protection including failure of monitoring; conditions that pose an obvious security risk to the water system; or any other condition with the potential to cause a future public health hazard.

Recovery means restoring full system function after a cybersecurity incident. Your plan should include backup strategies, contact lists, and step-by-step recovery procedures.

Community systems must describe in their annual water supply statement (see section 5-1.72(e) and (f)) any Public Health Hazard that is determined to be a violation, and any uncorrected significant deficiency and must indicate whether corrective action has been completed. This notice must be repeated every year until the annual report documents that corrective action have been completed in accordance with section 5-1.22 of this Subpart. You may also contact TPP@health.ny.gov for assistance.

The Department may follow up with enforcement actions or require corrective action plans. Our goal is to support systems in compliance through guidance and technical assistance.