CISA warns water facilities to secure HMI systems exposed online

CISA and the Environmental Protection Agency (EPA) warned water facilities today to secure Internet-exposed Human Machine Interfaces (HMIs) from cyberattacks.

HMIs are dashboards or user interfaces that help human operators connect to, monitor, and control industrial machines and devices via tablets, portable computers, or built-in displays.

“In the absence of cybersecurity controls, threat actors can exploit exposed HMIs at WWS Sector utilities to view the contents of the HMI, make unauthorized changes, and potentially disrupt the facility’s water and/or wastewater treatment process,” the two federal agencies said on Friday.

“For example, in 2024, pro-Russia hacktivists manipulated HMIs at Water and Wastewater Systems, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the water utility operators,” a joint advisory warns.

EPA and CISA “strongly” encourage Water and Wastewater Systems defenders to harden remote access to HMIs on their networks by implementing the mitigations in today’s advisory.

Attacks that successfully compromise such systems can have a major operational impact and force breached organizations to revert to manual operations. For instance, cyberattacks targeting the systems of Arkansas City’s water treatment facility and American Water, the largest publicly traded U.S. water and wastewater utility company, forced them to switch to manual mode in September and shut down some systems in October, respectively.

Critical water infrastructure under attack

Arkansas City’s water plant was hit only two days after the Water Information Sharing and Analysis Center (WaterISAC), a nonprofit that helps protect water utilities from physical and cyber threats, published a TLP:AMBER advisory warning of Russian-linked threat actors targeting the U.S. water sector.

However, these are just the latest critical infrastructure organizations in the U.S. water sector that were breached in recent years.

Chinese-backed Volt Typhoon hackers hid in the network of a drinking water system for at least five years, while IRGC-affiliated Iranian threat actors breached a Pennsylvania water facility in November 2023 by hacking into Unitronics programmable logic controllers (PLCs) exposed online.

In September, the EPA issued guidance to help water plant owners and operators reduce their vulnerability to cyberattacks, right after the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned two Russian cybercriminals in July for breaching U.S. water facilities.

In March, the agency also alerted U.S. governors in collaboration with the White House that hackers target critical infrastructure across the country’s water sector. This warning came one month after the EPA shared tips for defending against cyberattacks on water facilities.