Water utilities mitigate equipment flaws after researchers find widespread exposures

Hundreds of U.S. water utilities have bolstered the security of their industrial control systems after working with researchers who discovered that their highly sensitive equipment was accessible from the internet.

The security firm Censys discovered in late 2024 that nearly 400 human-machine interfaces — which allow workers to control industrial systems in water facilities and other critical infrastructure — were exposed on the internet. Forty of those HMI devices were “fully unauthenticated and controllable by anyone with a browser,” researchers said. 

After Censys coordinated with the Environmental Protection Agency and the HMI device’s vendor, utilities began securing their systems, and as of May, Censys said, “fewer than 6% of systems remain online in a read-only or unauthenticated state.”

Nearly a quarter of utilities had fixed the problem within nine days, the company said, and nearly 60% had done so within a few weeks.

The water sector, which is composed of tens of thousands of utilities, has faced years of cyberattacks from state-linked threat groups and ransomware gangs. Cyber experts consider it one of the most vulnerable sectors, because most of its members have little funding or expertise to address cyber threats. The Censys report is the latest indication of the serious infrastructure vulnerabilities plaguing the sector.

After Censys researchers contacted the HMI device’s manufacturer, they received what they said was “a polite but tepid response.” They later contacted the EPA, which they said “was interested and engaged in remediating the exposures.”

“The major issue we raised with the manufacturer and the EPA was that the majority of these systems were in one of two states: unauthenticated or read-only,” principal security researcher Emily Austin and senior security researcher Mark Ellzey said via email. “Both states allow anyone who finds these systems to view their configurations and examine HMIs; however, the unauthenticated state also allows anyone to view HMIs and make changes to system settings.’

After Censys researchers contacted the HMI device’s manufacturer, they received what they said was “a polite but tepid response.” They later contacted the EPA, which they said “was interested and engaged in remediating the exposures.”

The affected systems all used the same browser-based HMI/SCADA software, and only 95 of the 400 affected utilities had enabled authentication. Another 264 systems were configured to allow read-only access, while the remaining 40 had “no authentication at all (meaning that hypothetically, we could control the devices connected to the HMI).”

Federal officials previously warned about hacktivists and other groups targeting vulnerable water utilities due to poor system configurations. 

The EPA’s Office of the Inspector General issued a report in November showing that approximately 26 million people were vulnerable to the effects of cyber intrusions at 96 utilities with critical or high-risk vulnerabilities, while another 83 million people relied on water from utilities with medium-risk, read-only exposures. 

“Cyberattacks against critical infrastructure facilities, including public water systems and wastewater systems, have increased several-fold over the last few years and can disrupt or contaminate the delivery of safe drinking water and the treatment of wastewater,” an EPA spokesperson told Cybersecurity Dive via email. 

In the case of the vulnerable HMI devices, the manufacturer eventually took action and helped implement several changes, including multifactor authentication, to protect the affected utilities.