Water companies addressing equipment defects following discovery of extensive vulnerabilities by researchers in the field

Water companies addressing equipment defects following discovery of extensive vulnerabilities by researchers in the field

In a recent report by the EPA's Office of the Inspector General, it was revealed that approximately 26 million people were at risk due to cyber vulnerabilities in 96 utilities with critical or high-risk exposures. These vulnerabilities were found in the utilities' Human-Machine Interfaces (HMIs), which are crucial components of their critical infrastructure.

The report comes as no surprise, as cyberattacks against public water systems and wastewater facilities have significantly increased over the past few years. As of May, fewer than 6% of systems remained online in a read-only or unauthenticated state, with the remaining 40 having no authentication at all, potentially allowing control of the devices connected to the HMI. Another 264 systems were configured to allow read-only access.

However, it's not all grim news. Nearly 60% of the utilities managed to secure their systems within a few weeks following the report. The affected systems all used the same browser-based HMI/SCADA software, and after coordinating with the Environmental Protection Agency and the HMI device's vendor, utilities began implementing necessary changes.

The manufacturer of the affected HMIs, Opto 22, took steps to improve the security of these systems in early 2021. The HMI device's manufacturer eventually took action and helped implement changes, including multifactor authentication, to protect the affected utilities.

The water sector, which consists of tens of thousands of utilities, has faced years of cyberattacks from state-linked threat groups and ransomware gangs. Federal officials have previously warned about hacktivists and other groups targeting vulnerable water utilities due to poor system configurations.

Cyber experts consider the water sector one of the most vulnerable sectors due to its members' limited funding and expertise to address cyber threats. The Censys report is the latest indication of the serious infrastructure vulnerabilities plaguing the water sector. Another 83 million people relied on water from utilities with medium-risk, read-only exposures.

In late 2024, Censys discovered that nearly 400 HMIs used in water facilities and other critical infrastructure were accessible on the internet. Nearly a quarter of utilities had fixed the problem within nine days, but only 95 of the 400 affected utilities had enabled authentication. Forty of these HMIs were "fully unauthenticated and controllable by anyone with a browser."

Despite the challenges, it's encouraging to see that many utilities are taking steps to secure their systems. These attacks can disrupt or contaminate the delivery of safe drinking water and the treatment of wastewater, as an EPA spokesperson stated. It's crucial for all utilities to prioritise cybersecurity to protect public health and safety.

Read also:

• Oxidative Stress in Sperm Abnormalities: Impact of Reactive Oxygen Species (ROS) on Sperm Harm
• Is it possible to receive the hepatitis B vaccine more than once?
• Transgender Individuals and Menopause: A Question of Occurrence?
• Genetically manipulated rabbits sprout ominous black horns on their heads