- CISA and EPA issued a new warning late last week
- Water and wastewater companies urged to better protect their endpoints
- HMIs are particularly vulnerable, they said.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have issued a warning to all water facilities in the country to secure their human-machine interfaces (HMI) and systems of water and wastewater (WWS) from possible cyberattacks.
Human-machine interfaces (HMI) are systems or devices that enable interaction between humans and machines, allowing users to control and monitor the performance of machinery, systems or devices. They include a wide range of technologies, such as touch screens, control panels and voice commands.
The two agencies said that failing to adequately secure endpoints could attract unwanted attention from cybercriminals.
Active attacks
“In the absence of cybersecurity controls, unauthorized users can exploit exposed HMIs in water and wastewater systems to: View HMI content (including graphical user interface, distribution system maps, logs, etc.) events and security settings) and make unauthorized changes and potentially disrupt the facility's water and/or wastewater treatment process,” the announcement warned.
To prove their point, the agencies reminded everyone that “pro-Russian hacktivists” have already demonstrated their ability to find and exploit Internet-exposed HMIs, causing water pumps and blowing equipment to exceed their normal operating parameters.
In each case, the hacktivists maximized set points, altered other settings, disabled alarm mechanisms, and changed administrative passwords to lock out water utility operators. “These cases caused operational impacts to water systems and forced victims to return to manual operations.”
Additionally, in early January 2024, a department at Veolia North America, a transnational company offering water, energy, and waste recycling management services, suffered a ransomware attack that resulted in the theft of some personal data and forced the company to take some of its infrastructure offline as well.