Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

US Water Facilities Urged to Secure Access to Internet-Exposed HMIs

EPA and CISA urge organizations in the water and wastewater systems sector to harden remote access to internet-exposed human-machine interfaces (HMIs).

Water system vulnerabilities

The US government is urging organizations in the water and wastewater systems sector to ensure that internet-exposed human-machine interfaces (HMIs) providing access to industrial machines are properly secured against cyberattacks.

HMIs are components of device or software applications, such as keyboards and touchscreens, that enable operational technology (OT) owners and operators to monitor and control SCADA systems, often remotely.

According to a new fact sheet (PDF) from the Environmental Protection Agency (EPA) and the US cybersecurity agency CISA, exposed HMIs in water and wastewater systems could allow threat actors to access information about or tamper with industrial control systems (ICS).

“Threat actors have demonstrated the capability to find and exploit internet-exposed HMIs with cybersecurity weaknesses easily. For example, in 2024, pro-Russia hacktivists manipulated HMIs at water and wastewater systems, causing water pumps and blower equipment to exceed their normal operating parameters,” the two agencies say.

As part of the observed attacks, the hacktivists altered settings, turned off alarms, and modified administrative passwords to lock utility operators out, impacting the systems’ operations and forcing victims to switch to manual operations.

To mitigate the risks of cyberattacks, water and wastewater facilities are advised to inventory all internet-exposed devices, disconnect HMIs and other unprotected systems from the internet or secure them with strong usernames and passwords, and use multi-factor authentication (MFA) for HMIs and for the entire OT network.

Additionally, all organizations should implement network segmentation and geo-fencing across their networks, establish an allow-list so that only authorized IP addresses can access critical systems, keep all systems and applications updated, log remote logins to HMIs, and implement vendor recommendations for securing products.

The EPA and CISA also recommend that water facilities take advantage of the free government resources available for them, such as a vulnerability scanner, a fact sheet on securing water systems, and EPA guidance on improving the security of water facilities.

Advertisement. Scroll to continue reading.

Threat actors have often targeted water facilities and the EPA warned recently that over 300 drinking water systems that serve roughly 110 million people in the US are affected by vulnerabilities that could lead to disruptions.

Related: Iranian Hackers Use IOCONTROL Malware to Target OT, IoT Devices in US, Israel

Related: Gas Chromatograph Hacking Could Have Serious Impact: Security Firm

Related: Thousands of VNC Instances Exposed to Internet as Attacks Increase

Related: Cybercriminals Have Shifted Their Attack Strategies. Are You Prepared?

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.