The U.S. government is pressing organizations in the water and wastewater systems sector to prioritize the security of human-machine interfaces (HMIs) that connect industrial equipment to the Internet. The latest warning, outlined in a joint fact sheet published by the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA), emphasizes the critical vulnerabilities of exposed HMIs and the potential consequences of neglecting proper cybersecurity practices.
What Are HMIs and Why Are They Vulnerable?
Human-machine interfaces (HMIs) are critical components of operational technology (OT) systems. They allow operators to monitor and control industrial processes, often via supervisory control and data acquisition (SCADA) systems. HMIs are commonly found in industrial environments, including water and wastewater facilities, where they help manage pumps, valves, and other essential equipment. These interfaces rely on touchscreens, keyboards, or software applications to enable remote control and oversight.
However, when HMIs are improperly secured and exposed to the internet, they become prime targets for cyberattacks. Malicious actors can exploit these weaknesses to manipulate or disrupt operations. For sectors as vital as water and wastewater management, the consequences of a cyberattack can range from operational disruptions to public safety risks.
The joint fact sheet states: “Threat actors have demonstrated the capability to find and exploit internet-exposed HMIs with cybersecurity weaknesses easily. For example, in 2024, pro-Russia hacktivists manipulated HMIs at water and wastewater systems, causing water pumps and blower equipment to exceed their normal operating parameters.”
The warning is a stark reminder of growing cyber risks in critical infrastructure. In many cases, internet-exposed HMIs are insufficiently protected by firewalls, multi-factor authentication, or regular patching, making them vulnerable to opportunistic and targeted attacks.
Recent Incidents Highlight the Risks
The fact sheet references attacks in 2024 in which pro-Russian hacktivists targeted water systems, demonstrating how easy it is to exploit unsecured HMIs. By gaining access to these systems, attackers forced equipment such as water pumps and blowers to exceed safe operating limits, potentially damaging critical infrastructure and disrupting water supply processes. Similar attacks have been reported in other industrial sectors, underscoring the importance of robust cybersecurity measures. While these systems are integral to automation and operational efficiency, their exposure to the internet without adequate protection poses a significant risk.
The Call to Action
To mitigate these threats, the EPA and CISA urge organizations to take immediate steps to secure HMIs. Key recommendations include:
- Disconnecting non-essential HMIs from the Internet: Organizations should eliminate internet exposure wherever possible to reduce attack surfaces.
- Implementing multi-factor authentication (MFA): Adding layers of security makes it harder for attackers to gain unauthorized access.
- Conducting regular vulnerability assessments: Identifying and addressing cybersecurity weaknesses is crucial.
- Updating and patching systems: Regular updates for software and firmware are essential to defend against known vulnerabilities.
- Segmenting networks: Separating OT systems from IT networks limits an attacker’s ability to move laterally within a network.
These measures align with broader federal efforts to strengthen the cybersecurity posture of critical infrastructure sectors under increased threat from state-sponsored actors and cybercriminals.
Rising Importance of Cybersecurity in Critical Infrastructure
The water and wastewater sector has long been identified as a potential cyberattack target. Given these systems’ essential role in public health and safety, even minor disruptions can have significant downstream effects. In 2021, a high-profile attack on a water treatment plant in Florida highlighted the dangers of weak cybersecurity when an intruder attempted to manipulate chemical levels in the water supply. As geopolitical tensions intensify, cyber threat actors increasingly target critical infrastructure to create chaos, undermine confidence, and cause economic disruption. In its latest assessment, CISA reiterated that securing water systems is not just about safeguarding operations but also protecting public trust.
Moving Forward
The EPA and CISA’s joint effort reflects the urgency of the water sector’s cybersecurity challenges. By securing HMIs and adhering to best practices, organizations can significantly reduce cyberattack risks. The agencies continue to provide resources and guidance to assist facility operators in enhancing their defenses.
For detailed recommendations, access the full fact sheet here: CISA and EPA HMI Security Guidance (PDF)
As cyberattacks grow in frequency and sophistication, safeguarding critical infrastructure requires vigilance, collaboration, and proactive measures. The consequences of inaction are too severe to ignore.
Read the full report here: CISA and EPA Fact Sheet.
