Connecting Waterpeople

Protecting critical water systems: new guidance from CISA and EPA on Internet-exposed HMIs

About the entity

Themes

  • Protecting critical water systems: new guidance from CISA and EPA on Internet-exposed HMIs
    Credit: Image from CISA LinkedIn official page

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have released a joint fact sheet titled Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems. The document highlights critical cybersecurity risks posed by Human Machine Interfaces (HMIs) and provides actionable recommendations to mitigate potential cyberattacks.

HMIs allow operators of water and wastewater systems to interact with supervisory control and data acquisition (SCADA) systems connected to programmable logic controllers (PLCs). However, without proper cybersecurity controls, these interfaces can be exploited by malicious actors. Hackers can manipulate HMIs to disrupt operations, view sensitive information, alter system settings, and lock operators out of critical systems​. According to the fact sheet, in 2024 pro-Russia hacktivists targeted HMIs at water utilities, forcing systems into unsafe operating conditions. For example, threat actors manipulated set points, turned off alarms, and changed administrative credentials, leading to operational disruptions and a reliance on manual operations​.

To mitigate these threats, CISA and EPA strongly recommend implementing a series of mitigations that would harden remote access to HMIs. They include conducting a thorough inventory of all internet-exposed devices and disconnecting Human Machine Interfaces (HMIs) from public-facing internet whenever possible. Additionally, they advise implementing strong passwords, multifactor authentication (MFA), and network segmentation using a demilitarized zone (DMZ) or bastion host. Other key measures include applying geo-fencing, ensuring regular system updates and security patches, and logging and monitoring remote logins to detect any unusual activity.

Additional resources, including free vulnerability scanning services, are available through CISA and EPA to help utilities identify and resolve cybersecurity weaknesses. In September, CISA released a cybersecurity alert emphasizing ongoing efforts to combat the active exploitation of internet-accessible operational technology (OT) and industrial control systems (ICS), with a particular focus on the water and wastewater systems (WWS) sector. Also published last September, the EPA Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems helps system owners and operators identify gaps in their cybersecurity practices and reduce risks from cyberattacks. It also offers resources for technical assistance, training, and funding to strengthen cybersecurity defenses.

The new fact sheet underscores the growing importance of cybersecurity for critical infrastructure, as threat actors increasingly target operational technology systems in the water and wastewater sector. Just last month, the EPA’s Office of Inspector General released a report highlighting cybersecurity concerns in drinking water systems serving populations of 50,000 or more. A passive assessment evaluated cybersecurity vulnerabilities in 1,062 drinking water systems, which collectively serve more than 193 million people nationwide. It identified 97 drinking water systems serving approximately 26.6 million users as having either critical or high-risk cybersecurity vulnerabilities, whereas an additional 211 drinking water systems, servicing over 82.7 million people, were identified as medium and low risk. According to the report, if exploited by malicious actors, vulnerabilities could disrupt service or cause irreparable physical damage to drinking water infrastructure.

Subscribe to our newsletter

Topics of interest

The data provided will be treated by iAgua Conocimiento, SL for the purpose of sending emails with updated information and occasionally on products and / or services of interest. For this we need you to check the following box to grant your consent. Remember that at any time you can exercise your rights of access, rectification and elimination of this data. You can consult all the additional and detailed information about Data Protection.

Featured news

20/01/2025 · Infrastructure

Lower Molonglo Water Quality Control Centre (LMWQCC) drone footage 2017