EPA and CISA Urge Water Facilities to Disconnect from Internet

EPA and CISA Urge Water Facilities to Disconnect from Internet

EPA and CISA Issue Urgent Advisory on Protecting Water Facilities from Cyber Threats

The Environmental Protection Agency (EPA) and the Cybersecurity Infrastructure and Security Agency (CISA) have released a critical advisory aimed at safeguarding water facilities from cyberattacks targeting human-machine interfaces (HMIs) exposed to the public internet. This advisory, issued on December 13, outlines essential steps water facility operators should take to enhance their cybersecurity posture and protect vital water infrastructure.

Understanding the Cybersecurity Risks for Water Facilities

The advisory highlights the growing threat posed by cybercriminals exploiting HMIs in water and wastewater systems. The EPA and CISA’s 11-point fact sheet urges operators to conduct a thorough inventory of all internet-exposed devices. If feasible, they should disconnect HMIs and any unprotected systems from public access. If disconnection is not an option, securing these devices with strong usernames, passwords, and multi-factor authentication (MFA) is imperative.

Key Recommendations for Water Facility Operators

To mitigate the risk of cyberattacks, the EPA and CISA recommend the following actions:

  • Conduct an Inventory: Identify all internet-exposed devices within the facility.
  • Disconnect Devices: If possible, remove HMIs and other vulnerable systems from public access.
  • Secure Credentials: Implement strong usernames and passwords, changing any factory defaults.
  • Enable MFA: Use multi-factor authentication for an additional layer of security.
  • Network Segmentation: Create a demilitarized zone (DMZ) or bastion host to isolate operational technology (OT) networks.

These measures are crucial because HMIs are the gateways to Supervisory Control and Data Acquisition (SCADA) systems, which manage critical operations in water treatment facilities.

The Threat Landscape: Recent Cyberattacks

Recent incidents have demonstrated the vulnerabilities within water facilities. Pro-Russia hacktivists successfully manipulated HMIs, causing disruptions in water systems by altering operational parameters. These breaches allowed attackers to change settings, disable alarms, and lock out utility operators, leading to serious operational challenges.

Expert Insights on Securing Human-Machine Interfaces

Casey Ellis, founder of Bugcrowd, emphasizes that safety-critical control systems should never operate on the public internet. While security measures such as patching and password protection can enhance safety, a single lapse can leave essential services vulnerable to exploitation by sophisticated threat actors.

Venky Raju, Field CTO at ColorTokens, also warns that HMIs are easily discoverable using search engines like Shodan or Censys. These tools can reveal critical information about vulnerable systems that attackers could exploit, such as IP addresses and operating systems.

The Importance of Robust Cybersecurity in Water Facilities

The stakes are high for water facilities, which are responsible for providing clean drinking water 24/7. Itzik Alvas, co-founder and CEO of Entro Security, points out that compromised access to HMIs can lead to unsafe water standards, posing significant risks to public health.

Conclusion: Taking Action to Secure Water Infrastructure

As cyber threats continue to evolve, water facility operators must prioritize cybersecurity to protect their essential services. Implementing the recommendations from the EPA and CISA advisory is a critical step toward safeguarding water infrastructure from potential attacks.

What are your thoughts on the recent advisory? Share your insights in the comments below or explore more articles on protecting critical infrastructure and enhancing cybersecurity measures. For additional information, check the EPA’s official site and CISA’s resources on cybersecurity best practices.

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *