A recent fact sheet jointly released by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) highlights the significant risks posed by Internet-exposed Human Machine Interfaces (HMIs) to the Water and Wastewater Systems (WWS) sector. The document, titled “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems,” emphasizes the vulnerabilities faced by operators managing operational technology (OT) systems through HMIs, such as supervisory control and data acquisition (SCADA) systems.
These interfaces, when left unprotected and exposed online, become attractive targets for malicious actors seeking to disrupt critical infrastructure. Cyber-attacks on HMIs can lead to unauthorized access, allowing hackers to manipulate water treatment processes, disable alarms, or lock operators out of the system entirely. Recent incidents linked to pro-Russia hacktivists have caused disruptions by forcing equipment to operate beyond safe limits and restricting access through changes to administrative passwords.
The consequences of failing to secure HMIs are severe, according to CISA and EPA. Exploited vulnerabilities can result in facilities having to resort to manual operations, jeopardizing the delivery of essential water and wastewater services. The recent increase in cyber incidents targeting WWS facilities underscores the urgent need to address these risks.
To mitigate these vulnerabilities, the fact sheet provides key recommendations for operators, including disconnecting HMIs from public internet access whenever possible, using strong passwords and multi-factor authentication (MFA), regularly updating software and firmware, implementing network segmentation with tools like demilitarized zones (DMZs), and monitoring login attempts for suspicious activity.
In addition to these best practices, CISA offers free vulnerability scanning services to assist WWS facilities in identifying and addressing weaknesses. Resources such as the “Top Cyber Actions for Securing Water Systems” guide and EPA’s guidance on improving cybersecurity practices at drinking water and wastewater utilities are also available to support facility operators in enhancing their security posture.
Facility operators are urged to take prompt action in implementing these measures to reduce the risks to their systems and safeguard critical infrastructure against cyber threats. By following the guidance outlined in the fact sheet and leveraging available resources, operators can enhance the resilience of water and wastewater systems in the face of evolving cybersecurity challenges.