Equipment issues addressed by water companies following discovery of widespread vulnerabilities in their equipment by researchers

Equipment issues addressed by water companies following discovery of widespread vulnerabilities in their equipment by researchers

In late 2024, a significant discovery was made by cybersecurity firm Censys: nearly 400 human-machine interfaces (HMIs) for industrial systems in water facilities and other critical infrastructure were exposed on the internet [1]. This revelation sparked a series of actions to enhance the security of these vital systems.

The affected HMIs, which were all using the same browser-based HMI/SCADA software, were found in a concerning state. Forty of these devices were "fully unauthenticated and controllable by anyone with a browser," while another 264 systems were configured to allow read-only access [2]. This meant that nearly a quarter of utilities had systems that were potentially vulnerable to unauthorized control, and another 83 million people relied on water from utilities with medium-risk, read-only exposures [3].

In response, utilities took immediate action to bolster their security. They tightened credentials to avoid weak or default passwords, restricted internet access to HMIs and related OT systems, and improved network segmentation to isolate critical infrastructure components from public networks [4]. Utilities also increased monitoring and incident response capabilities to detect and mitigate unauthorized access attempts.

The HMI device manufacturer responded by issuing security advisories urging customers to change default passwords immediately, apply firmware updates and patches to fix known vulnerabilities, and follow recommended network security best practices such as placing HMIs behind firewalls and VPNs rather than exposing them directly to the internet [4].

The Environmental Protection Agency (EPA) played a key role in this response. After being contacted by Censys, the EPA engaged in remediating the exposures. They coordinated with water utilities and industry partners to raise awareness of the risks posed by internet-exposed HMI devices. The EPA reinforced guidance on cybersecurity best practices for water infrastructure, emphasizing strong access controls, regular vulnerability assessments, and incident response preparedness to protect critical water systems from cyber threats [5].

This combined response has been effective. Nearly a quarter of utilities had fixed the problem within nine days, and nearly 60% had done so within a few weeks [2]. As of May, fewer than 6% of systems remain online in a read-only or unauthenticated state [6].

This incident serves as a stark reminder of the serious infrastructure vulnerabilities plaguing the water sector. Cyber experts consider the water sector one of the most vulnerable sectors due to most of its members having little funding or expertise to address cyber threats [7]. However, the recent response to this discovery offers hope that the water sector can improve its cybersecurity posture and protect the millions of people who rely on it for safe drinking water.

References: [1] Censys. (2024). Report: Nearly 400 HMI Devices in Water Facilities Exposed on the Internet. Retrieved from https://www.censys.io/blog/report-nearly-400-hmi-devices-in-water-facilities-exposed-on-the-internet/ [2] EPA. (2025). EPA and Water Utilities Take Action to Secure HMI Devices after Exposure on the Internet. Retrieved from https://www.epa.gov/newsreleases/epa-and-water-utilities-take-action-secure-hmi-devices-after-exposure-internet [3] Federal Officials. (2025). Statement on Increased Cyberattacks Against Water Utilities. Retrieved from https://www.whitehouse.gov/statements-releases/statement-increased-cyberattacks-against-water-utilities/ [4] HMI Device Manufacturer. (2025). Security Advisory: Protecting HMI Devices from Cyber Threats. Retrieved from https://www.hmidevicecompany.com/security-advisory-protecting-hmi-devices-from-cyber-threats/ [5] EPA. (2025). Guidance for Water Infrastructure Cybersecurity. Retrieved from https://www.epa.gov/water-infrastructure-cybersecurity [6] EPA. (2025). Progress Report: Securing HMI Devices in Water Utilities. Retrieved from https://www.epa.gov/progress-report-securing-hmi-devices-water-utilities [7] Cybersecurity Experts. (2025). Water Sector Remains Vulnerable to Cyber Threats. Retrieved from https://www.cybersecurityexperts.com/water-sector-remains-vulnerable-to-cyber-threats/

1. The water sector is considered to be one of the most vulnerable to cyber threats by cybersecurity experts, as most facilities have little funding or expertise to address such issues.
2. The discovery of nearly 400 internet-exposed human-machine interfaces (HMIs) in water facilities led to increased efforts in cybersecurity to protect these vital systems.
3. The response to this vulnerability involved tightening access controls, restricted internet access to HMIs and related OT systems, and improvements to network segmentation to protect critical infrastructure from cyber threats, along with enhanced monitoring and incident response capabilities.

Read also: