US government warns water firms to secure infrastructure at risk online

News
By published

CISA and EPA are urging critical infrastructure firms to tighten up on security

Digital image of a lock.
Image Credit: Shutterstock (Image credit: Shutterstock)
  • CISA and EPA released a new warning late last week
  • They are urging Water and Wastewater firms to better protect their endpoints
  • HMIs are particularly vulnerable, they said

The US Cybersecurity and Infrastructure Security Agency (CISA), and the Environmental Protection Agency (EPA), has issued a warning to all water facilities in the country to secure their Human Machine Interfaces (HMI) and Water and Wastewater Systems (WWS) from potential cyberattacks.

Human-Machine Interfaces (HMIs) are systems or devices that enable interaction between humans and machines, allowing users to control and monitor the performance of machinery, systems, or devices. They include a wide range of technologies, such as touchscreens, control panels, and voice commands.

The two agencies said failing to protect the endpoints properly could draw in unwanted attention from cybercriminals.

Active attacks

“In the absence of cybersecurity controls, unauthorized users can exploit exposed HMIs in Water and Wastewater Systems to: View the contents of the HMI (including the graphical user interface, distribution system maps, event logs, and security settings) and make unauthorized changes and potentially disrupt the facility’s water and/or wastewater treatment process,” the announcement warned.

To prove their point, the agencies reminded everyone that “pro-Russian hacktivists” already demonstrated their capability to find and exploit internet-exposed HMIs, causing water pumps and blower equipment to exceed their normal operating parameters.

”In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the water utility operators. These instances resulted in operational impacts at water systems and forced victims to revert to manual operations.”

Although the announcement shares no names, we do know that American Water Works Company, the largest public water and wastewater utility company in the United States, suffered a cyberattack which forced it to shut down parts of its infrastructure in early October 2024.

Also, earlier in January 2024, a department in Veolia North America, a transnational company offering water, energy and waste recycling management services, suffered a ransomware attack which resulted in the theft of some personal data, and forced the company to take parts of its infrastructure offline, as well.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Code Skull
US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
An American flag flying outside the US Capitol building against a blue sky
US military and defense contractors hit with Infostealer malware
Doctor working on laptop
Patient monitors may have some worrying security flaws
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Latest in News
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what's happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
US flags
US government IT contracts set to be centralized in new Trump order
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
More about security
hacker.jpeg

Key trusted Microsoft platform exploited to enable malware, experts warn
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Coinbase targeted after recent Github attacks
iPhone 16 Pro Desert Titanium in hand

I think the rumored iPhone 17 Pro redesign looks great – but is it Apple enough?
See more latest