Skip to main content
Cybersecurity

An ‘alarming’ find from Censys: exposed HMIs in water facilities

A study shows hackable water-facility displays and controls.
article cover

Herraez/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

A giant scan o’ the internet from Censys revealed 18,000 exposed, connected devices “likely to control industrial systems,” according to an August 7 report from the cybersecurity company.

In a deeper discussion with IT Brew, Censys Principal Researcher Emily Austin said the company found 430 internet-connected human-machine interfaces, the displays and interactive components that represent factory functions—94 of which were associated with wastewater and water-system facilities. Half of the water-specific HMIs “could be manipulated without any authentication”—a shocking finding, according to Austin, given the critical nature of the operations.

“It’s just a matter of what controls are available,” Austin said. “What has the operator made available in that control system, to be able to click around or change a value or start something or stop something, or acknowledge an alarm, which you could do remotely from anywhere that you can access the internet?”

Remote control.

  • In November 2023, Iranian-backed hackers known as the “Cyber Av3engers” targeted the Municipal Water Authority of Aliquippa, a Pennsylvania city. The not-Marvel-approved group took over a device screen to read: “Every equipment ‘made in Israel’ is Cyber Av3ngers legal target."
    “These compromised devices were publicly exposed to the internet with default passwords and by default are on TCP port 20256,” CISA said in a December 2023 advisory.
  • A January 2024 compromise occurred in the Texas town of Muleshoe, when hackers broke into a remote login system, leading to a tank overflow and a switch to manual operations, City Manager Ramon Sanchez told CNN in April.

One screenshot from the Censys study revealed an unauthenticated HMI that appeared to be connected to a water tank, with start/stop controls for pumps.

Manufactured threat. According to a ransomware study from cybersecurity firm Kroll between May 2023 and May 2024, the manufacturing sector was the second-most targeted industry, surpassing healthcare, retail, education, and financial services. (The top target: professional services).

“Industrial control systems are used by manufacturing companies just as much as they are by a water authority,” Laurie Iacono, associate managing director at Kroll, told us, and who coincidentally lives a short ride from Aliquippa. Water facilities face the challenge, Iacono added, of prioritizing both physical and cyber resources with limited funds.

When facilities require a remote, internet-connected system, Iacono recommended VPNs, protected by multifactor authentication. (Austin does too, along with strong passwords and firewall configurations that limit access to authorized users.)

“It doesn’t necessarily mean you have to have $100 million tools running on your system,” Iacono said.

The Censys report said “nearly half of the HMIs associated with Water and Wastewater (WWS) identified could be manipulated without any authentication required.” In the US, there are “153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems,” according to CISA.

“These exposed HMIs: There’s a lower bar to interacting with them. While we didn’t find thousands of those, thank goodness, the ones that we did find, I think, are alarming,” Austin said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.