EPA says it will step up cyber regulation of water systems amid increase in cyberattacks

The US Environmental Protection Agency is stepping up inspections of water facilities that may be vulnerable to cyberattacks, the agency said Monday, citing an increase “in frequency and severity” of cyberattacks on the nation’s water plants.

“EPA inspectors have identified alarming cybersecurity vulnerabilities at drinking water systems across the country and taken actions to address them,” the agency said in an enforcement alert.

The new alert from the EPA outlines basic cybersecurity measures that US water facilities need to take to comply with the Safe Drinking Water Act, a federal law the agency uses to regulate water plants’ safety and security practices. The EPA can fine facilities that are deemed noncompliant or, in more serious cases, can pursue criminal charges.

More than 70% of water systems the EPA has inspected since September violate “basic” requirements of the Safe Drinking Water Act, according to the agency.

A spate of cybercriminal and state-backed hacks against US water facilities in the last six months has alarmed senior US officials because of the ease with which the hackers accessed sensitive equipment at the facilities. A Russian-speaking hacking group claimed credit for a cyberattack in January that caused a tank at a Texas water facility to overflow.

“As EPA steps up inspections [of facilities], the Agency intends to use enforcement authorities to address problems quickly that it observes in the field such as failure to prepare adequate” emergency response plans, the EPA alert says.

Asked if EPA will increase the resources it puts towards cybersecurity inspections of water facilities, EPA spokesperson Jeffrey Landis told CNN the agency is “not receiving additional resources to support this effort.” EPA does, however, have 88 “credentialed [Safe Drinking Water Act] inspectors and their planned work is being modified to accommodate this urgent need,” Landis said in an email.

The EPA, US Cybersecurity and Infrastructure Security Agency and, in some cases, state programs offer free cybersecurity training and tools for water facility operators, Landis said.

For more CNN news and newsletters create an account at CNN.com