The US government is urging organizations in the water and wastewater systems sector to ensure that internet-exposed human-machine interfaces (HMIs) providing access to industrial machines are properly secured against cyberattacks.
HMIs are components of device or software applications, such as keyboards and touchscreens, that enable operational technology (OT) owners and operators to monitor and control SCADA systems, often remotely.
According to a new fact sheet (PDF) from the Environmental Protection Agency (EPA) and the US cybersecurity agency CISA, exposed HMIs in water and wastewater systems could allow threat actors to access information about or tamper with industrial control systems (ICS).
“Threat actors have demonstrated the capability to find and exploit internet-exposed HMIs with cybersecurity weaknesses easily. For example, in 2024, pro-Russia hacktivists manipulated HMIs at water and wastewater systems, causing water pumps and blower equipment to exceed their normal operating parameters,” the two agencies say.
As part of the observed attacks, the hacktivists altered settings, turned off alarms, and modified administrative passwords to lock utility operators out, impacting the systems’ operations and forcing victims to switch to manual operations.
To mitigate the risks of cyberattacks, water and wastewater facilities are advised to inventory all internet-exposed devices, disconnect HMIs and other unprotected systems from the internet or secure them with strong usernames and passwords, and use multi-factor authentication (MFA) for HMIs and for the entire OT network.
Additionally, all organizations should implement network segmentation and geo-fencing across their networks, establish an allow-list so that only authorized IP addresses can access critical systems, keep all systems and applications updated, log remote logins to HMIs, and implement vendor recommendations for securing products.
The EPA and CISA also recommend that water facilities take advantage of the free government resources available for them, such as a vulnerability scanner, a fact sheet on securing water systems, and EPA guidance on improving the security of water facilities.
Threat actors have often targeted water facilities and the EPA warned recently that over 300 drinking water systems that serve roughly 110 million people in the US are affected by vulnerabilities that could lead to disruptions.
Related: Iranian Hackers Use IOCONTROL Malware to Target OT, IoT Devices in US, Israel
Related: Gas Chromatograph Hacking Could Have Serious Impact: Security Firm
Related: Thousands of VNC Instances Exposed to Internet as Attacks Increase
Related: Cybercriminals Have Shifted Their Attack Strategies. Are You Prepared?
