CISA and the EPA recently released a joint fact sheet titled “Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems.” The fact sheet offers guidance to water and wastewater systems organizations on how to minimize the exposure of human-machine interfaces and protect them from cyber threats. As various threat groups and hacktivists have targeted the WWS sector, WaterISAC strongly urges members to review the fact sheet and its guidance.
To understand the extent of exposed ICS devices in the WWS sector, take a look at this Censys data WaterISAC recently shared: “the 2024 State of the Internet Report from Censys reveals data of over 145,000 internet-exposed ICS devices globally, with more than one-third located in the U.S. alone.” While this data is troubling, the real number of exposed ICS is known to be much higher, as shown by the PLCHound researchers.
To mitigate the risks of cyberattacks, water and wastewater facilities are advised to inventory all internet-exposed devices, disconnect HMIs and other unprotected systems from the internet or secure them with strong usernames and passwords, and use multi-factor authentication (MFA) for HMIs and for the entire OT network.
WaterISAC strongly encourages utilities to review the fact sheet and implement the actions listed in the mitigations section. They are included below for member convenience. Access the full fact sheet at CISA.
EPA and CISA strongly encourage Water and Wastewater Systems to implement the following mitigations to harden remote access to HMIs. Organizations may need to consult with their system integrators and request the implementation of these mitigations.
- Conduct an inventory of all internet-exposed devices.
- If possible, disconnect HMIs and all other accessible and unprotected systems from the public-facing internet.
- If it is not possible to disconnect the device, secure it by creating a username and strong password to prevent a threat actor from easily viewing and accessing the devices. Change factory default passwords.
- Implement a strong password and multifactor authentication (MFA) for all access to the HMI and OT network.
- Implement network segmentation by enabling a demilitarized zone (DMZ) or a bastion host at the OT network boundary.
- Implement geo-fencing across the entire network and enforce network segmentation based on specific locations.
- Keep all systems and software up to date with patches and necessary security updates.
- Establish an allowlist that permits only authorized IP addresses to access the devices.
- Log remote logins to HMIs; be aware of failed attempts and unusual times.
- Implement your vendor’s recommendations for best securing your product.
- Sign up for CISA’s free cybersecurity vulnerability scanning service to identify software vulnerabilities and confirm that patching is up to date and done correctly.
Additional Resources
