Hi All,
The Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA) often identify internet-exposed Human Machine Interfaces (HMIs) through scanning via publicly available web-based search platforms. HMIs enable operational technology (OT) owners and operators to read Supervisory Control and Data Acquisition (SCADA) systems connected to programmable logic controllers (PLCs). In the absence of cybersecurity controls, unauthorized users can exploit exposed HMIs in Water and Wastewater Systems to:
View the contents of the HMI (including the graphical user interface, distribution system maps, event logs, and security settings) and
Make unauthorized changes and potentially disrupt the facility's water and/or wastewater treatment process.
Threat actors have demonstrated the capability to find and exploit internet-exposed HMIs with cybersecurity weaknesses easily. For example, in 2024, pro-Russia hacktivists manipulated HMIs at Water and Wastewater Systems, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the water utility operators. These instances resulted in operational impacts at water systems and forced victims to revert to manual operations. (For more information, see the joint fact sheet Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity. https://www.cisa.gov/sites/default/files/2024-05/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity-508c.pdf) EPA and CISA are releasing this fact sheet to provide Water and Wastewater Systems with recommendations for limiting the exposure of HMIs on the internet and securing them against malicious cyber activity.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------