US government warns water firms to secure infrastructure at risk online

Image Credit: Shutterstock (Image credit: Shutterstock)

CISA and EPA released a new warning late last week
They are urging Water and Wastewater firms to better protect their endpoints
HMIs are particularly vulnerable, they said

The US Cybersecurity and Infrastructure Security Agency (CISA), and the Environmental Protection Agency (EPA), has issued a warning to all water facilities in the country to secure their Human Machine Interfaces (HMI) and Water and Wastewater Systems (WWS) from potential cyberattacks.

Human-Machine Interfaces (HMIs) are systems or devices that enable interaction between humans and machines, allowing users to control and monitor the performance of machinery, systems, or devices. They include a wide range of technologies, such as touchscreens, control panels, and voice commands.

The two agencies said failing to protect the endpoints properly could draw in unwanted attention from cybercriminals.

Active attacks

“In the absence of cybersecurity controls, unauthorized users can exploit exposed HMIs in Water and Wastewater Systems to: View the contents of the HMI (including the graphical user interface, distribution system maps, event logs, and security settings) and make unauthorized changes and potentially disrupt the facility’s water and/or wastewater treatment process,” the announcement warned.

To prove their point, the agencies reminded everyone that “pro-Russian hacktivists” already demonstrated their capability to find and exploit internet-exposed HMIs, causing water pumps and blower equipment to exceed their normal operating parameters.

”In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the water utility operators. These instances resulted in operational impacts at water systems and forced victims to revert to manual operations.”

Although the announcement shares no names, we do know that American Water Works Company, the largest public water and wastewater utility company in the United States, suffered a cyberattack which forced it to shut down parts of its infrastructure in early October 2024.

Also, earlier in January 2024, a department in Veolia North America, a transnational company offering water, energy and waste recycling management services, suffered a ransomware attack which resulted in the theft of some personal data, and forced the company to take parts of its infrastructure offline, as well.

American Water hit by cyberattack, takes some systems offline
Here's a list of the best antivirus offerings to keep your business protected
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.