In a recent joint effort, the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have unveiled a crucial fact sheet underscoring the cybersecurity risks associated with Internet-exposed Human Machine Interfaces (HMIs) in the Water and Wastewater Systems (WWS) sector. The fact sheet, entitled “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems,” delivers practical guidance for WWS facilities to address the vulnerabilities linked to unsecured HMIs and safeguard their operations from potential cyber threats.
Human Machine Interfaces play a pivotal role in the operation of supervisory control and data acquisition (SCADA) systems, which are extensively utilized in Water and Wastewater Systems to supervise and control a wide range of infrastructural components. These systems are often interconnected with programmable logic controllers (PLCs), which oversee real-time operations. However, when HMIs are left exposed to the internet without adequate security measures, they become susceptible to exploitation by cybercriminals and other malicious actors.
The dangers posed by exposed HMIs in WWS cannot be understated. These interfaces act as a crucial link between operational technology (OT) and system operators, enabling them to monitor and regulate various aspects of WWS operations. Nonetheless, when HMIs are accessible via the internet, unauthorized users can compromise vital water and wastewater operations.
Unauthorized access to exposed HMIs can enable malicious actors to view sensitive information, make unauthorized modifications that could disrupt water and wastewater treatment processes, and cause severe operational disruptions. Unfortunately, recent incidents have demonstrated the increasing trend of threat actors exploiting internet-exposed HMIs with weak or no cybersecurity defenses. In a notable case in 2024, pro-Russia hacktivists exploited vulnerabilities in exposed HMIs at multiple Water and Wastewater Systems facilities, resulting in forced manual operations and service disruptions.
To mitigate these risks and enhance the security of HMIs, CISA and EPA have prescribed several key strategies for WWS organizations to implement. These measures include identifying all accessible HMIs and related systems, disconnecting internet-facing HMIs if feasible, implementing robust access controls and multifactor authentication, establishing a demilitarized zone (DMZ) or bastion host at the OT network boundary, maintaining up-to-date systems and software with the latest security patches, and restricting access to HMIs to authorized IP addresses.
In conclusion, CISA and EPA present invaluable resources to assist Water and Wastewater Systems in bolstering their cybersecurity posture. By adopting strong security measures such as access controls, multifactor authentication, and regular updates, WWS can safeguard critical infrastructure and ensure the uninterrupted delivery of water and wastewater services. As cyber threats continue to evolve, it is imperative for WWS to remain vigilant and proactive in addressing cybersecurity risks to preserve the integrity of their operations.