- Search ChatGPT now available to free users on the 8th day of OpenAI
- The best 85-inch TVs of 2024: Expert tested and recommended
- Want to avoid the YouTube TV price hike? This trick worked for me (eventually)
- How to factory reset your Android phone without unlocking it
- Lost luggage? Apple AirTag users can now share location with these airlines
CISA and EPA Warn of Cyber Risks to Water System Interfaces
Internet-exposed Human Machine Interfaces (HMIs) pose significant risks to the Water and Wastewater Systems (WWS) sector, according to a new fact sheet jointly released by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA).
Titled Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems and published last week, the document outlines vulnerabilities and provides actionable guidance for operators to protect critical infrastructure.
HMIs are essential tools that enable facility operators to manage operational technology (OT) systems, such as supervisory control and data acquisition (SCADA) systems. When these interfaces are exposed online without adequate safeguards, they can become targets for malicious actors.
Cyber-attacks on HMIs can allow unauthorized users to manipulate water treatment processes, disable alarms or lock operators out of systems altogether. Recent incidents, including those linked to pro-Russia hacktivists, have caused disruptions such as forcing equipment to exceed safe limits and restricting access by altering administrative passwords.
Why Securing HMIs is Critical
CISA and EPA warn that the consequences of failing to secure HMIs go beyond temporary disruptions. Exploited vulnerabilities can force facilities to revert to manual operations, which can compromise the delivery of essential water and wastewater services. The recent surge in cyber incidents targeting WWS facilities highlights the urgency of addressing these risks.
The fact sheet emphasizes best practices for mitigating these vulnerabilities. Key recommendations include:
-
Disconnecting HMIs from public internet access when possible
-
Using strong passwords and multi-factor authentication (MFA)
-
Updating software and firmware regularly to address vulnerabilities
-
Implementing network segmentation with tools like demilitarized zones (DMZs)
-
Monitoring login attempts and investigating suspicious activity
To support the WWS sector, CISA also offers free vulnerability scanning services that help facilities identify and address weaknesses. Additional resources include the Top Cyber Actions for Securing Water Systems guide and EPA’s guidance on improving cybersecurity practices at drinking water and wastewater utilities.
Facility operators are encouraged to act quickly to implement these measures and reduce risks to their systems.
