The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have jointly released a crucial fact sheet highlighting the cybersecurity risks posed by Internet-exposed Human Machine Interfaces (HMIs) in the Water and Wastewater Systems (WWS) sector. The fact sheet, titled Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems, offers practical guidance for WWS facilities to mitigate the risks associated with unsecured HMIs and protect their operations from malicious cyber activity.
HMIs are integral to the operation of supervisory control and data acquisition (SCADA) systems, which are commonly used in Water and Wastewater Systems (WWS) to monitor and control a wide array of infrastructure. These systems are often connected to programmable logic controllers (PLCs), which manage real-time operations. However, when HMIs are exposed to the internet without proper security measures, they become vulnerable to exploitation by cybercriminals and other threat actors.
The Dangers of Exposed Human Machine Interfaces in WWS
Human Machine Interfaces serve as the critical bridge between operational technology (OT) and system operators, allowing them to monitor and control various aspects of WWS operations. However, when HMIs are exposed to the internet, they can be accessed by unauthorized users, putting vital water and wastewater operations at risk.
According to the joint fact sheet, unauthorized access to exposed HMIs allows malicious actors to:
- View sensitive information, including graphical user interfaces, distribution system maps, event logs, and security settings.
- Make unauthorized modifications, potentially disrupting water and wastewater treatment processes, which can lead to severe operational impacts.
One distressing trend that has emerged in recent years is the ability of threat actors to easily identify and exploit internet-exposed HMIs with weak or no cybersecurity defenses. In 2024, pro-Russia hacktivists exploited vulnerabilities in exposed HMIs at multiple Water and Wastewater Systems facilities.
These attackers manipulated system settings to push water pumps and blower equipment beyond their safe operating limits, altered critical settings, deactivated alarm mechanisms, and locked out system operators by changing administrative passwords. The result was a forced reversion to manual operations, disrupting services.
Mitigation Strategies for Securing HMIs
In response to these growing concerns, CISA and EPA have outlined several mitigations that WWS organizations should implement to enhance the security of their Human Machine Interfaces and protect against cyber threats. These recommendations are vital to hardening remote access to HMIs and ensuring that only authorized personnel can interact with these systems.
- Organizations should identify all HMIs and related systems that are accessible from the public internet. This allows for a comprehensive understanding of the vulnerabilities within the system.
- If possible, disconnect any internet-facing HMIs from the public network. If disconnection is not feasible, it is essential to secure them with strong access controls, including complex usernames and passwords.
- Multifactor authentication should be implemented for all remote access to HMIs and OT networks, adding an extra layer of security to the system.
- Enabling a demilitarized zone (DMZ) or bastion host at the OT network boundary can isolate sensitive systems from the broader internet, making it harder for unauthorized actors to penetrate internal networks.
- Keeping systems and software up to date with the latest security patches is essential for closing vulnerabilities that could be exploited by cybercriminals.
- Only allow authorized IP addresses to access the HMIs, reducing the risk of unauthorized remote login attempts.
- It is important to log and review all remote logins to HMIs, paying attention to any failed login attempts or unusual login times, which could indicate suspicious activity.
Conclusion
CISA and the EPA offer valuable resources to help Water and Wastewater Systems (WWS) strengthen cybersecurity, including free vulnerability scanning and guidance like CISA’s Top Cyber Actions for Securing Water Systems and the EPA’s cybersecurity recommendations.
Tools like CISA’s Stuff Off Search help identify internet-exposed assets. As cyber threats increase, WWS must adopt strong security measures, such as access controls, multifactor authentication, and regular updates, to protect critical infrastructure and ensure the safety of water and wastewater services.
