The Environmental Protection Agency (EPA) and the Cybersecurity Infrastructure and Security Agency (CISA) released a Dec. 13 advisory to help water facilities protect their operations from attackers exploiting human-machine interfaces (HMIs) exposed to the public internet.
In an 11-point fact sheet, the EPA and CISA recommended that water facility operators conduct an inventory of all internet-exposed devices, and if possible, disconnect HMIs and all other accessible and unprotected systems from the public-facing internet.
The federal agencies added that if it’s not possible to disconnect a device, water operators should secure it by creating a username and strong password to prevent a threat actor from easily viewing and accessing the devices, as well as change factory default passwords. They should also implement multi-factor authentication (MFA) and segment the network by enabling a demilitarized zone (DMZ) or a bastion host at the operational technology (OT) network boundary.
According to the EPA and CISA, HMIs let OT systems read Supervisory Control and Data Acquisition (SCADA) systems connected to programmable logic controllers (PLCs). In the absence of cybersecurity controls, the agencies said attackers can exploit exposed HMIs in water and wastewater systems to view the contents of the HMI, including the graphical user interface, distribution system maps, event logs, and security settings. Attackers can also make unauthorized changes and potentially disrupt the facility.
The federal agencies said that they issued the advisory because threat actors have demonstrated the ability to easily find and exploit internet-exposed HMIs. They noted that earlier this year, pro-Russia hacktivists manipulated HMIs at water and wastewater systems, causing water pumps and blower equipment to exceed their normal operating parameters.
“In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the water utility operators,” said EPA and CISA officials. “These instances resulted in operational impacts at water systems and forced victims to revert to manual operations.”
Safety-critical control systems such as the water and wastewater HMIs mentioned in the EPA-CISA advisory should never run on the internet, said Casey Ellis, founder and advisor at Bugcrowd. Ellis said while it’s possible to patch, password-protect, and otherwise secure HMIs, a failure in any of these controls while connected to the public internet leaves essential services easily exploitable by anyone, including nation-state threat actors.
“The broader problem is that the pandemic forced industrial control systems users, including critical infrastructure, to cater to remote work,” said Ellis. “This prompted a bunch of bad security decisions. At a minimum, this stuff should always be firewalled off from public addressing. The secondary issue is that critical systems are uptime-sensitive, therefore, securing them properly often isn’t as simple as applying patches or enabling MFA.”
Venky Raju, Field CTO at ColorTokens, said that the primary risk is that HMIs are easy to find with search engines like Shodan or Censys. Raju said these tools offer detailed information such as the IP address, open ports, operating system, and sometimes screenshots of the login screen with a prefilled username.
Raju added that most HMI software runs on older Windows-based Panel PCs, making them vulnerable to remote attackers, and a lack of patching and use of default administrative credentials exacerbate the problem.
“Once the attacker gains access to the HMI, they can perform almost any operation on the underlying control systems, such as switching off equipment, or running systems outside normal parameters,” said Raju. “Real-world examples include causing an overhead water tank to overflow, and increasing the level of a chemical by 100 times the normal at a wastewater treatment facility.”
Itzik Alvas, co-founder and CEO at Entro Security, said HMIs are interfaces humans use to interact with machines. Alvas said examples of HMIs include buttons for an elevator as well as keyboards and computer mice. Modern HMIs are often digital/virtual, with various buttons and controls that can produce physical outcomes on the machine they interface with, explained Alvas.
“Water facilities are responsible for performing many tests and maintaining clean drinkable water 24/7 for the population that relies on them,” said Alvas. “This makes their HMIs particularly sensitive, as compromising access to an HMI can lead to unsafe water standards and in worst-case scenarios cause thousands or even millions of casualties. Furthermore, since modern HMIs are digital and virtual, even though they are designed for human access, attackers can leverage exposed non-human identities (NHIs) to remotely compromise these interfaces if they are networked and connected, wreaking havoc on the population nearby.”
