US Water Facilities Urged to Secure Internet-Exposed HMIs
Water Systems Urged to Secure Internet-Exposed Interfaces Against Cyberattacks
U.S. water and wastewater facilities are being warned to bolster cybersecurity measures for internet-connected human-machine interfaces (HMIs) following a rise in attacks targeting critical infrastructure.
HMIs, teh touchscreens and keyboards used to control industrial systems, are increasingly vulnerable to cyberattacks if left unsecured. A new joint fact sheet from the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) highlights the growing threat.”Threat actors have demonstrated the capability to find and exploit internet-exposed HMIs with cybersecurity weaknesses easily,” the agencies warn.
The agencies cite a 2024 incident where pro-Russia hacktivists targeted water and wastewater systems, manipulating HMIs to cause water pumps and blower equipment to malfunction. The attackers altered settings, disabled alarms, and changed administrative passwords, forcing operators to switch to manual controls.
Securing Critical Systems
To mitigate these risks, the EPA and CISA urge water facilities to take immediate action:
Inventory all internet-connected devices: Identify all HMIs and other systems exposed to the internet.
Disconnect or secure vulnerable systems: Isolate HMIs from the internet or implement strong usernames and passwords, along with multi-factor authentication (MFA).
Implement network segmentation and geo-fencing: Restrict access to critical systems by onyl allowing authorized IP addresses.
Keep systems updated: Regularly update all software and applications to patch vulnerabilities.
Log remote logins: Monitor and track all remote access attempts to HMIs.
Follow vendor recommendations: Adhere to security best practices provided by HMI manufacturers.
Free Resources Available
The EPA and CISA offer free resources to help water facilities enhance their cybersecurity posture:
Vulnerability scanner: A free tool to identify weaknesses in systems.
Fact sheet on securing water systems: Guidance on best practices for protecting critical infrastructure.
* EPA guidance on improving cybersecurity: Recommendations for strengthening the security of water facilities.
This warning comes as the EPA recently revealed that over 300 drinking water systems serving millions of Americans are vulnerable to cyberattacks. The agency has emphasized the need for increased vigilance and proactive security measures to protect these vital resources.
Securing Our Water: Experts Weigh in on Critical Infrastructure Threats
NewsDirectory3.com:
Facing an escalating number of cyberattacks targeting critical infrastructure, U.S. water and wastewater facilities are being urged to fortify their cybersecurity, especially for internet-connected human-machine interfaces (HMIs). Thes touchscreens and keyboards, vital for controlling industrial systems, have become prime targets for malicious actors.
We spoke with Dr. Emily Carter,a leading cybersecurity expert specializing in critical infrastructure protection,to gain insights into this evolving threat.
NewsDirectory3.com: Dr. Carter, can you elaborate on the specific risks posed by unsecured HMIs in water systems?
Dr. Carter: Certainly.HMIs provide a direct pathway into the heart of a water facility’s operational systems. If compromised, attackers can possibly manipulate system functions, leading to disruptions in water treatment, distribution, or even contamination. The recent incident involving pro-Russia hacktivists serves as a stark reminder of the real-world consequences.
NewsDirectory3.com: What steps can water utilities take to mitigate these risks?
Dr. Carter: The EPA and CISA have issued critical guidance. A extensive approach is crucial. This includes identifying all internet-connected devices, implementing strong access controls, segmenting networks to isolate critical systems, keeping software updated, and diligently monitoring remote login attempts.
NewsDirectory3.com: Are there any resources available to assist water utilities in bolstering their cybersecurity?
Dr. Carter: Absolutely. The EPA and CISA offer valuable free tools and resources, including vulnerability scanners and detailed guidance on best practices. Leveraging these resources is essential for water utilities to enhance their cybersecurity posture.
NewsDirectory3.com: What message do you have for water system operators regarding cybersecurity preparedness?
Dr.Carter: Cybersecurity is no longer an option; it’s an imperative. The threat landscape is constantly evolving, and water systems must be proactive in their defense. By implementing robust security measures and staying informed about emerging threats,they can protect this vital resource for the communities they serve.