In a recent advisory issued jointly by the Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA), water and wastewater system facilities have been urged to secure internet-exposed human-machine interfaces (HMIs). According to the statement, exposed HMIs could enable malicious actors to access information or manipulate the industrial control systems (ICS). In observed attacks, threat actors were able to tamper with settings, disable alarms, and alter administrative passcodes. 

Here, security leaders discuss the risks of internet-exposed HMIs in water facilities. 

Security leaders weigh in 

Casey Ellis, Founder and Advisor at Bugcrowd:

Safety-critical control systems, like the water and wastewater HMIs mentioned in the advisory, should never be on the Internet. While it may be possible to patch, password-protect and otherwise secure HMIs, a failure in any of these controls, while connected to the public Internet, leaves essential services easily exploitable by anyone, including nation-state threat actors. 

The broader problem is that the pandemic forced ICS users, including critical infrastructure, to cater to remote work. This prompted a bunch of bad security decisions. At a minimum, this stuff should always be firewalled off from public addressing. The secondary issue is that critical systems are uptime-sensitive, therefore, securing them properly often isn’t as simple as “applying patches” or “enabling MFA”. 

Mr. Venky Raju, Field CTO at ColorTokens:

Exposing HMI systems to the Internet can have serious public health and safety consequences. 

HMI systems provide operators and technicians with direct access to industrial control systems at the facility. As the equipment is often spread across many buildings and plants, HMI systems are frequently connected to networks permitting access from centralized locations. In many cases, remote access to these HMIs is also necessary. Ideally, remote access to these HMIs will be protected with a VPN or a zero trust network access solution, with policy-based access controls that govern who can access the system and when. However, due to limited budgets and resource constraints, many municipal organizations such as water supply, wastewater, and other utilities, resort to making these HMIs directly accessible over the Internet. 

Eric Schwake, Director of Cybersecurity Strategy at Salt Security:

Exposing HMIs to the public internet, particularly at critical infrastructure facilities like water treatment plants, poses significant risks. This exposure creates a direct pathway for attackers to disrupt essential services and potentially cause considerable harm. HMIs, designed for remote monitoring and control, can become entry points for malicious actors to manipulate industrial control systems (ICS). Such manipulation may lead to disruptions in the water supply, contamination of water resources, or even physical damage to equipment.

While this advisory specifically focuses on HMIs, it highlights the broader need to secure all internet-facing components of critical infrastructure, including APIs. APIs are increasingly utilized to integrate and manage various systems within these facilities, and their vulnerability can also pose serious risks. Organizations must prioritize strong API security measures, including robust authentication, authorization, and encryption, to prevent unauthorized access and protect against potential attacks.