In recent years, the cybersecurity landscape has revealed alarming vulnerabilities within the United States’ water and wastewater systems. Central to these concerns are Human-Machine Interfaces (HMIs), which serve as critical conduits between human operators and industrial control systems (ICS). When improperly configured or exposed to the internet without adequate safeguards, these interfaces become prime targets for cyber adversaries, posing significant risks to public health and safety.
Understanding HMIs and Their Role in Water Systems
HMIs are integral components in the operation of water and wastewater facilities. They provide operators with real-time data visualization, control capabilities, and system diagnostics, enabling efficient management of processes such as water treatment, distribution, and waste processing. Typically, HMIs are connected to Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control industrial processes. Through HMIs, operators can adjust parameters, respond to system alerts, and ensure the seamless delivery of essential services.
The Growing Threat Landscape
The exposure of HMIs to the public internet without robust security measures has led to a series of cyber incidents targeting water facilities. In 2024, pro-Russian hacktivists exploited vulnerabilities in internet-exposed HMIs at multiple water and wastewater systems. These attackers manipulated system settings, causing equipment to operate beyond safe parameters, disabled critical alarms, and altered administrative credentials to lock out legitimate operators. Such actions forced facilities to revert to manual operations, disrupting services and highlighting the pressing need for enhanced cybersecurity practices.
Governmental Response and Recommendations
In response to these escalating threats, the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint fact sheet titled Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems. This document underscores the vulnerabilities associated with exposed HMIs and provides actionable recommendations to mitigate potential cyberattacks.
Key Recommendations Include:
1. Inventory and Assessment: Conduct a comprehensive inventory of all internet-exposed devices within the facility. Understanding the scope of exposure is the first step toward securing these systems.
2. Disconnecting Unnecessary Connections: Where feasible, disconnect HMIs and other unprotected systems from the public internet. Limiting external access reduces the attack surface available to potential adversaries.
3. Implementing Strong Authentication Measures: For systems that must remain connected, establish strong usernames and passwords, replacing any default credentials. Additionally, implement multi-factor authentication (MFA) to add an extra layer of security.
4. Network Segmentation: Utilize network segmentation strategies, such as establishing a demilitarized zone (DMZ) or deploying a bastion host at the operational technology (OT) network boundary. This approach isolates critical systems from potential threats originating from less secure networks.
5. Geo-Fencing and Access Controls: Implement geo-fencing techniques and maintain an allow-list of authorized IP addresses to restrict access to critical systems based on geographic location and predefined permissions.
6. Regular System Updates and Patching: Ensure that all systems and applications are regularly updated with the latest security patches to address known vulnerabilities.
7. Monitoring and Logging: Establish comprehensive logging of remote logins to HMIs and other critical systems. Regularly review these logs to detect and respond to unauthorized access attempts promptly.
Real-World Implications and Case Studies
The consequences of failing to secure HMIs are not merely theoretical. In November 2023, Iranian-backed hackers known as the Cyber Av3ngers targeted the Municipal Water Authority of Aliquippa in Pennsylvania. The attackers took control of an HMI screen, displaying a message that read: Every equipment ‘made in Israel’ is Cyber Av3ngers legal target. This incident underscored the ease with which adversaries can exploit exposed systems to deliver political messages and potentially disrupt essential services.
Similarly, in January 2024, the town of Muleshoe, Texas, experienced a cyber intrusion where attackers accessed a remote login system, leading to a water tank overflow and necessitating a switch to manual operations. These incidents highlight the tangible risks associated with internet-exposed HMIs and the critical need for proactive security measures.
The Broader Context: Critical Infrastructure Vulnerabilities
The vulnerabilities in water and wastewater systems are part of a larger pattern of cyber threats targeting critical infrastructure. The shift toward remote work during the COVID-19 pandemic led many facilities to enable remote access to operational systems. In some cases, this was achieved by directly connecting HMIs to the internet without implementing secure solutions like Virtual Private Networks (VPNs) or Zero Trust architectures. Such shortcuts have left essential services exposed to exploitation by nation-state actors and other malicious groups.
Moving Forward: Strengthening Cyber Resilience
To bolster the cybersecurity posture of water and wastewater systems, facility operators and administrators must prioritize the following actions:
– Comprehensive Risk Assessments: Regularly evaluate the security of all operational technology assets to identify and mitigate potential vulnerabilities.
– Employee Training and Awareness: Provide ongoing cybersecurity training for staff to recognize and respond to potential threats effectively.
– Incident Response Planning: Develop and regularly update incident response plans to ensure swift and coordinated actions in the event of a cyberattack.
– Collaboration with Authorities: Engage with federal and state agencies, such as CISA and the EPA, to stay informed about emerging threats and best practices.
– Utilization of Free Resources: Take advantage of free government resources, including vulnerability scanning services and cybersecurity guidance documents, to enhance security measures.
Conclusion
The exposure of HMIs in water and wastewater systems to the public internet without adequate security measures presents a significant and ongoing threat to critical infrastructure. By implementing the recommendations provided by the EPA and CISA, facility operators can significantly reduce the risk of cyberattacks, ensuring the continued delivery of safe and reliable water services to the public. Proactive cybersecurity practices are not merely a technical necessity but a fundamental component of safeguarding public health and maintaining trust in essential services.
