The Cybersecurity and Infrastructure Security Agency (CISA) and Environmental Protection Agency (EPA) have issued an urgent warning to water facilities regarding the security of their Human Machine Interfaces (HMIs). These critical systems, which enable operators to monitor and control water treatment processes, have become targets for cyberattacks.
Recent Security Incidents:
– Pro-Russian hacktivists successfully manipulated HMIs in 2024, causing operational disruptions
– Arkansas City’s water treatment facility and American Water faced attacks forcing manual operations
– Chinese-backed Volt Typhoon maintained unauthorized access to a drinking water system for five years
– Iranian threat actors compromised a Pennsylvania water facility through exposed Unitronics controllers
Key Vulnerabilities and Impacts:
– Unsecured HMIs allow unauthorized access to critical controls
– Attackers can manipulate equipment settings and disable alarms
– System compromises may result in operational disruptions
– Facilities may be forced to switch to manual operations
Federal Response:
– EPA issued comprehensive guidance for cybersecurity enhancement
– Treasury Department sanctioned Russian cybercriminals involved in water facility breaches
– Federal agencies are actively monitoring threats to water infrastructure
– New security recommendations and protocols have been established
The agencies strongly recommend water facilities implement robust security measures for HMI systems and remote access protocols to prevent unauthorized access and potential service disruptions.