Misconfigured HMIs Expose US Water Systems to Anyone with a Browser
A stray artifact in a TLS certificate led security researchers to an unnerving discovery: hundreds of control-room dashboards for US water utilities were sitting a click away from the public internet, and dozens of them offered full, no-password control over pumps, valves and chemical feeds.
The trail started last October, when the research team at Censys ran a routine scan of industrial-control hosts and noticed certificates with word “SCADA” embedded. That label, short for Supervisory Control and Data Acquisition, is typically associated with monitoring systems in industrial control environments. Censys found the same certificate distinguished name (DN) across several instances of the uncommon browser-based HMI platform.
Curious, the team fetched screenshots from each IP address and found themselves staring at live process graphics from water-treatment plants: tank levels drifting up and down, chlorine pumps cycling on and off, and alarms flashing in real time.
Digging deeper, the researchers realized that every affected utility was using the identical web server layout generated by the HMI software. The researchers parsed the title tags into a spreadsheet that displayed the product, the owner and the location and found strings confirming the hosts were indeed municipal water facilities.
Censys researchers say all the systems were found in three states: Authenticated (credentials required), Read-only (viewable without control), and the unnerving Unauthenticated (full access without credentials).
“40 systems were fully unauthenticated and controllable by anyone with a browser,” the company said.
Because the targets were public utilities, Censys skipped the usual slow, one-by-one disclosure and sent a bulk report to the US Environmental Protection Agency and the unnamed HMI vendor.
The spreadsheet listed every IP, port and likely location, along with each site’s security state. Within nine days, Censys said the EPA reported that 24 percent of the exposed systems had been firewalled or hardened. A month later, that figure jumped to 58 percent after the vendor pushed guidance on multifactor authentication and stronger access rules.
“What began as over 300 read-only or unauthenticated systems in October 2024 has dropped to fewer than 20 as of our most recent scan in May 2025. While not quite at zero read-only or unauthenticated instances, this is the type of remediation that defenders and practitioners dream of,” the Censys research team said.
Late last year, the US government issued an urgent call for organizations in the water and wastewater systems sector to ensure that internet-exposed human-machine interfaces (HMIs) providing access to industrial machines are properly secured against cyberattacks.
HMIs are components of device or software applications, such as keyboards and touchscreens, that enable operational technology (OT) owners and operators to monitor and control SCADA systems, often remotely.
According to a fact sheet (PDF) from the Environmental Protection Agency (EPA) and the US cybersecurity agency CISA, exposed HMIs in water and wastewater systems could allow threat actors to access information about or tamper with industrial control systems (ICS).
“Threat actors have demonstrated the capability to find and exploit internet-exposed HMIs with cybersecurity weaknesses easily. For example, in 2024, pro-Russia hacktivists manipulated HMIs at water and wastewater systems, causing water pumps and blower equipment to exceed their normal operating parameters,” the two agencies warned.
Related: US Lawmakers Reintroduce Bill to Boost Rural Water Cybersecurity
Related: US Water Facilities Urged to Secure Access to Internet-Exposed HMIs
Related: 300 Drinking Water Systems in US Exposed to Disruptive Hacker Attacks
Related: American Water Confirms Hack: Customer Portal Suspended
Source link