Today, CISA and the Environmental Protection Agency (EPA) released Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems. This joint fact sheet provides Water and Wastewater Systems (WWS) facilities with recommendations for limiting the exposure of Human Machine Interfaces (HMIs) and securing them against malicious cyber activity.

HMIs enable operational technology owners and operators to read supervisory control and data acquisition systems connected to programmable logic controllers. Threat actors can exploit exposed HMIs at WWS Sector utilities without cybersecurity controls, resulting in operational impacts and forcing victims to revert to manual operations (see Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity).

EPA and CISA strongly encourage WWS Sector organizations review and implement the mitigations in this fact sheet to harden remote access to HMIs. Visit our Water and Wastewater Systems page for additional resources to help protect the WWS Sector.