The U.S. government is sounding the alarm on a growing cybersecurity risk for critical infrastructure—internet-exposed Human-Machine Interfaces (HMIs). In a joint advisory released by the Environmental Protection Agency (EPA) and the Cybersecurity and Infrastructure Security Agency (CISA), organizations in the Water and Wastewater Systems sector are urged to secure HMIs, which provide critical access to industrial machines and control systems.
Failure to do so could allow malicious actors to disrupt operations, alter critical processes, and endanger public health and safety
What Are HMIs and Why Are They at Risk?
HMIs are systems that allow human operators to monitor and control Industrial Control Systems (ICS), such as those used in water treatment facilities. However, when improperly configured or left exposed to the internet, HMIs become prime targets for cyberattacks. Threat actors can:
-
View sensitive system information, such as distribution maps and security settings
-
Alter settings to run systems outside normal parameters
-
Disable alarms or change passwords to lock out operators
The advisory notes real-world incidents where pro-Russia hacktivists manipulated HMIs in water systems, maxing out equipment settings, disabling alarms, and forcing utilities to revert to manual operations. This underscores the urgent need to secure these systems.
According to Casey Ellis, Founder and Advisor at Bugcrowd, safety-critical control systems like HMIs "should never be on the Internet." While it is possible to patch and password-protect these systems, Ellis warns that a failure in any of these controls could leave essential services exposed to exploitation by nation-state actors or other malicious groups. He points to the broader problem stemming from the pandemic, which forced ICS users to cater to remote work, often leading to "a bunch of bad security decisions."
At a minimum, these systems should be firewalled off from public addressing, Ellis stresses.
Why Are HMIs Being Exposed?
The shift to remote work during the pandemic exacerbated ICS vulnerabilities. Municipal utilities and water treatment plants, constrained by limited budgets and resource shortages, often took shortcuts to enable remote access. Instead of using secure solutions like VPNs or Zero Trust architectures, many HMIs were directly connected to the internet, exposing them to attackers.
Venky Raju, Field CTO at ColorTokens, highlights the severe public health and safety risks associated with these decisions.
"Exposing HMI systems to the Internet can have serious consequences," Raju explains. Many of these systems are easily discoverable using tools like Shodan or Censys, which reveal IP addresses, open ports, and even screenshots of login screens—sometimes with prefilled usernames. Making matters worse, Raju notes that many HMIs run on outdated operating systems and often still use default administrative credentials, which attackers can exploit with minimal effort.
Raju warns, "Once attackers gain access, they can do almost anything—force equipment to exceed safety limits, overflow water tanks, or dangerously alter chemical levels in treatment systems." These scenarios are not hypothetical; they have already happened in real-world incidents.
Security Beyond HMIs: APIs and Integration Risks
While the advisory focuses on HMIs, Eric Schwake, Director of Cybersecurity Strategy at Salt Security, emphasizes that this issue is part of a larger cybersecurity challenge for critical infrastructure.
"Exposing HMIs to the public internet creates a direct pathway for attackers to disrupt essential services," Schwake says, underscoring the risks to public health. However, he adds that organizations must also address the broader integration risks posed by modern industrial systems:
"APIs are increasingly used to manage and integrate systems within critical infrastructure. Without strong authentication, authorization, and encryption, APIs can become additional entry points for attackers."
This highlights the need for a holistic approach to securing all internet-facing components of ICS environments, not just HMIs.
Key Mitigations to Protect HMIs
The EPA and CISA advisory outlines essential steps organizations can take to secure their systems:
-
Inventory and Disconnect: Identify all internet-exposed devices and disconnect them from public networks if possible.
-
Secure Access: Use strong passwords, enable multifactor authentication (MFA), and disable default credentials.
-
Network Segmentation: Implement a Demilitarized Zone (DMZ) or bastion host to isolate critical OT networks.
-
Geo-Fencing: Limit access based on geographical location and implement IP allowlisting.
-
Patch and Update: Regularly update systems and software to fix vulnerabilities.
-
Monitor Access: Log all remote logins and watch for unusual activity or failed login attempts.
The advisory also encourages water utilities to use CISA's free vulnerability scanning services to identify and address system weaknesses.
What’s at Stake? Public Safety and Operational Continuity
Water and wastewater systems are essential to public health and safety. A successful cyberattack on exposed HMIs could lead to:
-
Water supply disruptions
-
Contamination of water resources
-
Physical damage to equipment or infrastructure
-
Long-term operational challenges for utilities forced to rely on manual processes
As Schwake points out, securing HMIs is a critical first step, but organizations must also address vulnerabilities in APIs, networks, and other interconnected systems to build long-term resilience.
The joint advisory from the EPA and CISA is a wake-up call for water utilities and other organizations operating critical infrastructure. Internet-exposed HMIs are a clear, avoidable risk that attackers are actively exploiting. As Casey Ellis aptly states, "Safety-critical systems should never be on the Internet."
Organizations can reduce their attack surface and protect public health by implementing the recommended mitigations—disconnecting HMIs, securing remote access, and hardening networks.
Follow SecureWorld News for more stories related to cybersecurity.
