Summary: CISA and the EPA have issued a warning to water facilities about the need to secure Internet-exposed Human Machine Interfaces (HMIs) from potential cyberattacks. Recent incidents highlight the vulnerabilities of these systems, which can lead to significant operational disruptions.
Threat Actor: Pro-Russia hacktivists | pro-Russia hacktivists
Victim: Arkansas City’s water treatment facility | Arkansas City’s water treatment facility
Key Point :
- HMIs allow operators to monitor and control industrial machines, making them critical for water treatment processes.
- Recent attacks have demonstrated how threat actors can manipulate HMIs, leading to unauthorized changes and operational disruptions.
- Federal agencies are urging water utilities to enhance cybersecurity measures to protect against these vulnerabilities.
- Past incidents include breaches by both Russian and Iranian threat actors targeting U.S. water facilities.
- Guidance has been issued to help water facility operators reduce their exposure to cyber threats.
CISA and the Environmental Protection Agency (EPA) warned water facilities today to secure Internet-exposed Human Machine Interfaces (HMIs) from cyberattacks.
HMIs are dashboards or user interfaces that help human operators connect to, monitor, and control industrial machines and devices via tablets, portable computers, or built-in displays.
“In the absence of cybersecurity controls, threat actors can exploit exposed HMIs at WWS Sector utilities to view the contents of the HMI, make unauthorized changes, and potentially disrupt the facility’s water and/or wastewater treatment process,” the two federal agencies said on Friday.
“For example, in 2024, pro-Russia hacktivists manipulated HMIs at Water and Wastewater Systems, causing water pumps and blower equipment to exceed their normal operating parameters. In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the water utility operators,” a joint advisory warns.
EPA and CISA “strongly” encourage Water and Wastewater Systems defenders to harden remote access to HMIs on their networks by implementing the mitigations in today’s advisory.
Attacks that successfully compromise such systems can have a major operational impact and force breached organizations to revert to manual operations. For instance, cyberattacks targeting the systems of Arkansas City’s water treatment facility and American Water, the largest publicly traded U.S. water and wastewater utility company, forced them to switch to manual mode in September and shut down some systems in October, respectively.
Critical water infrastructure under attack
Arkansas City’s water plant was hit only two days after the Water Information Sharing and Analysis Center (WaterISAC), a nonprofit that helps protect water utilities from physical and cyber threats, published a TLP:AMBER advisory warning of Russian-linked threat actors targeting the U.S. water sector.
However, these are just the latest critical infrastructure organizations in the U.S. water sector that were breached in recent years.
Chinese-backed Volt Typhoon hackers hid in the network of a drinking water system for at least five years, while IRGC-affiliated Iranian threat actors breached a Pennsylvania water facility in November 2023 by hacking into Unitronics programmable logic controllers (PLCs) exposed online.
In September, the EPA issued guidance to help water plant owners and operators reduce their vulnerability to cyberattacks, right after the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned two Russian cybercriminals in July for breaching U.S. water facilities.
In March, the agency also alerted U.S. governors in collaboration with the White House that hackers target critical infrastructure across the country’s water sector. This warning came one month after the EPA shared tips for defending against cyberattacks on water facilities.