The Environmental Protection Agency issued a memorandum on Friday requiring states to analyze cyber defenses at public water systems during periodic audits.

The audits, called sanitary surveys, are already required by the EPA to detect harmful chemicals.

Water utilities are typically smaller than electric utilities and less likely to have a dedicated cybersecurity staff. As part of the new cyber requirement, the EPA said it is providing technical assistance to states and water systems.

“Cyber attacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox, in a statement. “Cyber attacks have the potential to contaminate drinking water, which threatens public health.”

The new initiative comes after efforts to improve digital defenses at water facilities through voluntary measures fell short and following a breach two years ago at a water treatment plant in Oldsmar, Fla. The hacker increased the level of sodium hydroxide, which is used to remove metals, by a factor of 100, a potentially dangerous increase. The attempt to increase the chemical was quickly reversed, and authorities at the time said there were other safety measures in place that would have prevented a catastrophe.

The announcement by the EPA echoes a tactic outlined by the White House in its newly released National Cyber Strategy to use existing rules and statutes to require enhanced cybersecurity of critical infrastructure.

“I anticipate other variants of the same tactic — expanding an existing authority,” said Mike Hamilton, chief information security officer at cybersecurity firm Critical Insight.

Mark Montgomery, a former executive director of the Cyberspace Solarium Commission, which made recommendations to Congress to improve U.S. cyber defenses, criticized the memorandum, saying state sanitary inspectors don’t always have the knowledge to adequately preform a cyber audit.

“Unfortunately, there are 55,000 utilities doing water,” Montgomery said. “It is the ultimate in checklist management, except done by someone who may not understand the words on the checklist.”

Photo: Plant Operating Technician Jose Duenes monitors systems in the Operating Control Room at the Roberto Gonzales Regional Water Treatment Plant on Jan. 26, 2023 in Eagle Pass, Texas. (Photo by Brandon Bell/Getty Images)