The Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a fact sheet highlighting the significant cybersecurity risks posed by internet-exposed Human Machine Interfaces (HMIs) in water and wastewater systems. These HMIs, which allow operators to monitor and control Supervisory Control and Data Acquisition (SCADA) systems, are often easily discoverable via public web-based search platforms.

When HMIs lack proper cybersecurity controls, unauthorised users can exploit them in a number of ways:

• View sensitive information: including graphical user interfaces, distribution system maps, event logs, and security settings.
• Make unauthorised changes: potentially disrupting water and/or wastewater treatment processes.
• Cause operational impacts: as seen in 2024 when pro-Russia hacktivists manipulated HMIs, causing pumps and blowers to exceed normal parameters, turning off alarms and changing passwords.
  These types of incidents force utilities to revert to manual operations. Threat actors have demonstrated the ability to easily find and exploit these weaknesses.

To mitigate these risks, the EPA and CISA strongly recommend that water and wastewater systems implement the following measures:

• Inventory Devices: Conduct a thorough inventory of all internet-exposed devices.
• Disconnect from the Internet: If possible, disconnect HMIs and other unprotected systems from the public internet.
• Secure Access: If disconnection is not possible, create strong usernames and passwords, and change default factory passwords.
• Implement MFA: Use strong passwords and multifactor authentication for all access to the HMI and OT network.
• Network Segmentation: Implement a demilitarized zone (DMZ) or a bastion host at the OT network boundary. A DMZ makes it harder for unauthorised users to access private networks, while a bastion host acts as a secure access point.
• Use Geo-Fencing: Implement geo-fencing and enforce network segmentation based on specific locations.
• Keep Systems Updated: Ensure all systems and software have the latest patches and security updates.
• Create an Allowlist: Permit only authorised IP addresses to access the devices.
• Monitor Logins: Log remote logins to HMIs and be aware of failed attempts and unusual times.
• Follow Vendor Guidance: Implement vendor recommendations for securing products.