The Cybersecurity and Infrastructure Security Agency (CISA) and Environmental Protection Agency (EPA) have issued a joint advisory urging water and wastewater systems to strengthen cybersecurity protections for Human-Machine Interfaces (HMIs). This warning comes amid increasing attacks on operational technology (OT) systems that control critical infrastructure.

Why Water Systems Are Vulnerable Targets

Water treatment plants and distribution systems rely heavily on HMIs - the graphical interfaces that allow operators to monitor and control industrial processes. These systems have become prime targets because:

  • Many still run on outdated Windows operating systems
  • Often have direct internet connectivity without proper segmentation
  • Use default credentials that haven't been changed
  • Lack basic security monitoring capabilities

Recent Attack Patterns

Several concerning trends have emerged in water system attacks:

  1. Credential Harvesting: Attackers use phishing to gain access to HMI credentials
  2. Ransomware Infections: Encrypting SCADA systems to disrupt operations
  3. Unauthorized Access: Hackers manipulating chemical levels or valve controls
  4. Supply Chain Compromises: Targeting third-party vendors with system access

The agencies recommend these critical steps:

Immediate Actions

  • Change all default passwords on HMIs and SCADA systems
  • Implement multi-factor authentication (MFA) for all remote access
  • Segment OT networks from IT systems and the internet
  • Disable unnecessary remote access protocols like RDP

Long-Term Strategies

  • Conduct regular vulnerability assessments of OT systems
  • Develop and test incident response plans specific to water systems
  • Train staff on cybersecurity best practices and phishing awareness
  • Implement continuous monitoring of industrial control systems

Case Study: The Oldsmar Water Treatment Hack

The 2021 attack on Oldsmar, Florida's water system demonstrated the real-world consequences of HMI vulnerabilities. An attacker:

  • Accessed the system via TeamViewer
  • Attempted to increase sodium hydroxide levels to dangerous concentrations
  • Was only detected because an operator noticed cursor movements

This incident highlighted how basic security measures could have prevented access.

Regulatory Landscape

Water utilities should be aware of:

  • America's Water Infrastructure Act (AWIA): Requires risk assessments and emergency response plans
  • CISA's Cross-Sector Cybersecurity Performance Goals: Provides baseline security recommendations
  • EPA's Cybersecurity Checklist: Specific guidance for water sector resilience

Future Outlook

As threats evolve, water systems must:

  • Transition from reactive to proactive security postures
  • Consider adopting zero trust architectures for OT environments
  • Participate in information sharing programs like WaterISAC
  • Budget for cybersecurity alongside physical infrastructure upgrades

Resources for Water Utilities