EPA, CISA Warn Water Facilities to Disconnect HMIs From Internet

EPA, CISA Warn Water Facilities to Disconnect HMIs From Internet

December 17, 2024 Catherine Williams - Chief Editor Tech

Millions of ⁣Americans at ⁢Risk: Hackers Target ‌Water Systems Through Vulnerable Interfaces

Millions of​ Americans‍ could face contaminated water⁣ or service ​disruptions as⁢ hackers increasingly ‌target vulnerable systems controlling ⁣water treatment and ‍distribution. ​ A joint advisory from the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency⁤ (CISA) issued ‍on December 13th warns of ⁤the growing ⁢threat posed by unsecured Human-Machine Interfaces ⁣(HMIs) ‍in water facilities.

HMIs are the digital dashboards that allow operators to​ monitor and control critical equipment like pumps, valves, and chemical treatment systems. ⁣The advisory​ highlights the alarming ease with ‌which attackers can find and⁢ exploit these interfaces, which are often directly connected to ⁤the public internet.

“In each​ case, the hacktivists⁢ maxed out set⁢ points, ⁢altered‌ other settings, turned off alarm mechanisms,⁢ and‌ changed administrative passwords ⁤to lock out the water utility operators,” the ⁤EPA and CISA stated, referencing ⁢recent attacks ‌by pro-Russia hacktivists who manipulated HMIs at water‌ and wastewater systems, causing operational‍ disruptions.

A Ticking ​Time Bomb

Experts warn that ⁣the ⁢consequences of a triumphant attack on ​a⁣ water system could be⁤ catastrophic.

“Safety-critical control systems ⁣such as the ⁣water and ‌wastewater HMIs mentioned in the EPA-CISA advisory should never run on the internet,” ⁤says Casey‌ Ellis,founder and ​advisor at Bugcrowd.”A failure in‍ any⁤ of ⁤these controls while connected ‍to the public internet leaves essential services easily exploitable by anyone, including nation-state threat‌ actors.”

Venky Raju,​ Field CTO⁣ at ColorTokens, adds⁤ that HMIs are frequently enough‌ easy targets as they run on outdated software‌ and use default credentials, making them vulnerable ​to even basic hacking‌ techniques.“Once​ the ​attacker gains access to the HMI, they can perform almost any operation on the underlying control⁢ systems, such as switching off equipment,⁣ or running systems outside normal ‍parameters,” Raju warns.

Protecting Our Water supply

The EPA and CISA urge water facility operators ⁣to take immediate action to secure thier⁢ HMIs. This ⁣includes:

Conducting a thorough inventory of all‌ internet-exposed devices.
 Disconnecting HMIs from the ⁣public​ internet⁣ whenever possible.
Implementing⁤ strong passwords and multi-factor authentication.
 Segmenting networks to isolate HMIs from‍ other systems.

The agencies also‌ recommend using firewalls⁤ and intrusion detection systems to monitor network traffic for suspicious activity.

The stakes are⁢ high. Protecting‌ our nation’s water‍ infrastructure ‍from ⁤cyberattacks​ is not just a technological ⁣challenge,it’s a matter ‌of public⁣ health and safety.

Hackers Targeting Water Systems: A conversation with the Experts

NewsDirectory3.com: With recent advisories warning of cyberattacks on water treatment facilities,⁢ concerns about the safety of our drinking water are on the rise. To shed light on this growing threat, we spoke with cybersecurity experts Casey Ellis, founder adn advisor at Bugcrowd, and Venky ‍Raju, Field CTO at ColorTokens.

NewsDirectory3.com: ​What​ makes water ​treatment facilities ⁢particularly vulnerable⁤ to hackers?

Casey Ellis: ​Safety-critical control systems like water‍ and wastewater ‍HMIs⁣ should never run on ​the internet. ​ A failure in any of these controls while‍ connected to the public internet leaves essential services easily exploitable by anyone, including nation-state threat actors.

Venky Raju: HMIs are frequently enough easy targets. They ​frequently run on⁣ outdated software and use default ‌credentials, making them vulnerable to ⁤even basic hacking techniques. Once the attacker gains⁣ access to the HMI, they can perform almost‍ any operation on the underlying control systems, such as switching off equipment, or running‍ systems outside normal parameters.

NewsDirectory3.com: What are some of the potential consequences of a accomplished​ attack​ on a water ​system?

Casey Ellis: The consequences could be ⁤catastrophic. Imagine a scenario⁤ where ‍drinking⁢ water⁤ is contaminated, or water supply‍ is entirely ‍disrupted. The impact‌ on public health and safety would be ‍immense.

NewsDirectory3.com: What steps can ⁣be taken to protect water treatment facilities from these attacks?

Venky Raju: the EPA and ​CISA have issued crucial ‌recommendations, including⁤ conducting a⁣ thorough inventory ​of all internet-exposed devices, ⁣disconnecting HMIs from⁢ the public internet whenever‌ possible, implementing strong passwords and ‍multi-factor authentication, ⁤and segmenting networks to isolate ⁢HMIs from other systems. Additionally, using firewalls and intrusion detection systems can help monitor⁤ network ​traffic for suspicious activity.

NewsDirectory3.com: ‍What message do you have⁣ for the ⁤public about this issue?

Casey Ellis: This is a serious‍ threat that demands​ our attention. ​Protecting ‍our ⁢nation’s water infrastructure is ‌not just a ‌technological challenge; its⁤ a matter of public health and safety.We all have ‍a role to play in raising awareness and urging our leaders to prioritize cybersecurity investments.