CISA and EPA Warn Water Facilities to Secure Exposed HMIs

The US government is imploring water and wastewater organizations to secure internet-exposed human-machine interfaces (HMIs) that provide access to industrial machines against cyberattacks. Unauthorized access to these HMIs can allow malicious actors to view sensitive information and disrupt operations.

HMIs are systems or devices that enable interaction between humans and machines, allowing users to control and monitor the performance of machinery, systems, or devices.

The move to urge these critical industries to act comes from observing threat actors demonstrating the capability to find and exploit internet-exposed HMIs with cybersecurity deficiencies. A recently jointly released statement from the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) has detailed the carnage unauthorized users can cause.

The statement cites how, in 2024, pro-Russia hacktivists manipulated HMIs at Water and Wastewater Systems, causing water pumps and blower equipment to exceed their normal operating parameters. The hacktivists altered system settings and locked out operators, forcing facilities to revert to manual operations.

Recommendations for Mitigation

To combat these threats, the EPA and CISA have detailed in their statement 11 mitigations organizations should implement to enhance their security. One recommendation is actually to (if possible) ‘disconnect HMIs and all other accessible and unprotected systems from the public-facing internet.’ A drastic request underlining the severity of the potential threat posed. They do acknowledge that this may not always be feasible, and their other recommendations largely focus on updating software, resetting passwords, and reviewing precisely who has access to what.

Expert Reactions and Insights

Cybersecurity professionals have been reacting to the statement and giving their thoughts. Eric Schwake, Director of Cybersecurity Strategy at Salt Security, believes the statement reinforces the requirement for Organizations to review their own security measures. He states that: ‘While this advisory specifically focuses on HMIs, it highlights the broader need to secure all internet-facing components of critical infrastructure, including APIs.’

Venky Raju, Field CTO at ColorTokens, provided a useful summary of the problems that some organizations face when implementing these measures. Detailing how, while remote access is often necessary, it needs to be secured via a VPN or a Zero Trust solution with strict access controls. Fair enough. However, many municipal organizations, such as water and wastewater utilities, make these HMIs publicly accessible due to budget constraints, leaving these HMIs unsecured and vulnerable.

Emerging Malware Threats to ICS and IoT

Internet-facing HMIs represent one of the clearest and most present targets for attackers. They act as a centralized hub for managing critical infrastructure. If an attacker succeeds in compromising and controlling the HMI they can do nearly anything to the infrastructure itself. An attacker could harvest critical architecture information for other purposes.

In an equally concerning story this week, Help Net Security reported how Claroty’s Team82 researchers have identified a type of Malware made specifically to target industrial control systems (ICS), Internet of Things (IoT), and operational technology (OT) control devices. The malware can apparently run on HMIs, routers, programmable logic controllers (PLCs), firewalls, and other Linux-based IoT/OT platforms.

Conclusion: The Path Forward

Cybersecurity in industrial environments presents challenges far different from those in IT networks. Continued pressure from powerful external bodies such as regulators, insurance companies, and government agencies acting on researched findings is helping push organizations to ensure that not only their HMI points but also their broader networks are as secure as possible against emerging threats.