CISA and EPA Warn of Cyber Risks to Water System Interfaces

Security

Internet-exposed Human Machine Interfaces (HMIs) pose significant risks to the Water and Wastewater Systems (WWS) sector, according to a new fact sheet jointly released by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA).

Titled Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems and published last week, the document outlines vulnerabilities and provides actionable guidance for operators to protect critical infrastructure.

HMIs are essential tools that enable facility operators to manage operational technology (OT) systems, such as supervisory control and data acquisition (SCADA) systems. When these interfaces are exposed online without adequate safeguards, they can become targets for malicious actors.

Cyber-attacks on HMIs can allow unauthorized users to manipulate water treatment processes, disable alarms or lock operators out of systems altogether. Recent incidents, including those linked to pro-Russia hacktivists, havecaused disruptions such as forcing equipment to exceed safe limits and restricting access by altering administrative passwords.

Why Securing HMIs is Critical

CISA and EPA warn that the consequences of failing to secure HMIs go beyond temporary disruptions. Exploited vulnerabilities can force facilities to revert to manual operations, which can compromise the delivery of essential water and wastewater services. The recent surge in cyber incidentstargeting WWS facilities highlights the urgency of addressing these risks.

The fact sheet emphasizes best practices for mitigating these vulnerabilities. Key recommendations include:

  • Disconnecting HMIs from public internet access when possible

  • Using strong passwords and multi-factor authentication (MFA)

  • Updating software and firmware regularly to address vulnerabilities

  • Implementing network segmentation with tools like demilitarized zones (DMZs)

  • Monitoring login attempts and investigating suspicious activity

Read more on safeguarding water and other critical infrastructure from cyberattacks: ACSC and CISA Launch Critical OT Cybersecurity Guidelines

To support the WWS sector, CISA also offers freevulnerability scanning services that help facilities identify and address weaknesses. Additional resources include the Top Cyber Actions for Securing Water Systems guide and EPA’s guidance on improving cybersecurity practices at drinking water and wastewater utilities.

Facility operators are encouraged to act quickly to implement these measures and reduce risks to their systems.

Products You May Like

Articles You May Like

Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
Lazarus Group Spotted Targeting Nuclear Engineers with CookiePlus Malware
US Organizations Still Using Kaspersky Products Despite Ban
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe

Leave a Reply

Your email address will not be published. Required fields are marked *