mapping the impact of 10 NYCRR Part 5 鈥 Appendix 5-E
March 16, 2026
What does New York鈥檚 new water cybersecurity regulation actually require?
I鈥檝e been mapping out the practical impact of 10 NYCRR Part 5 鈥 Appendix 5-E for municipal water systems.
At a high level, compliance falls into four areas:
1锔忊儯 Risk Assessment
Utilities must perform a Cybersecurity Vulnerability Analysis (CVA) covering both IT and operational technology systems.
2锔忊儯 Operational Security
Organizations must evaluate the security of SCADA systems and operational technology networks used to operate water infrastructure.
3锔忊儯 Incident Readiness
Utilities must establish incident response procedures and reporting protocols for cybersecurity events.
4锔忊儯 Workforce Preparedness
Certified operators must receive periodic cybersecurity training.
Most systems will need to meet these requirements by January 1, 2027.
The challenge is that many municipal systems rely on legacy industrial control environments that were never designed with cybersecurity protections in place.
For those working in water utilities or municipal government 鈥 how is your organization preparing?
Need help securing your critical infrastructure?
