Summary: Cybersecurity firm Censys recently released information regarding internet-exposed Human Machine Interfaces (HMIs) connected to water systems throughout the U.S. The blog post mentions that in October, Censys researchers identified nearly 400 web-based HMIs connected to U.S. water facilities that were exposed online. The systems were found to be in one of three states: Authenticated (credentials required), Read-only (viewable without control), and Unauthenticated (full access without credentials). 40 systems were found to be fully unauthenticated and controllable by anyone with a browser. After sharing these findings with the EPA to help facilitate remediation, fewer than 6% of systems remained in a read-only or unauthenticated state.
Importantly, Censys notes that “discovering critical infrastructure exposed on the internet is far less common than sensational blogs and press releases may have you believe. It’s super easy to uncover hosts running protocols like Ethernet/IP or BACNet, but much harder to assess whether those systems pose a real risk, or if they even qualify as critical infrastructure in the first place.”
Analyst Note: While the numbers of internet-exposed ICS systems tend to be overinflated for the reasons outlined by Censys, water utilities are still urged to proactively identify and secure web-based HMIs as many are accessible without proper authentication. Even a small number of unauthenticated interfaces can provide threat actors with a straightforward path to compromising critical systems. WaterISAC encourages members to ensure an inventory of assets is regularly kept up-to-date and to conduct regular vulnerability scans (which can be free!), to help your utility stay secure. Additionally, CISA shared recent guidance aimed at helping organizations reduce internet exposure of critical systems.
Original Source: https://censys.com/blog/turning-off-the-information-flow-working-with-the-epa-to-secure-hundreds-of-exposed-water-hmis
Additional Reading:
- About 400 exposed web-based US water facility interfaces, as coordinated remediation effort underway
- OT/ICS Cyber Resilience – Censys Data Reveals More Internet-Exposed ICS
Mitigation Recommendations:
Related WaterISAC PIRs: 6, 8
