Full Report
New research from Censys identified that nearly 400 web-based Human Machine Interfaces (HMIs) connected to U.S. water facilities... The post About 400 exposed web-based US water facility interfaces, as coordinated remediation effort underway appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Widespread Exposure of U.S. Water Facility HMIs
## Executive Summary
Censys researchers discovered nearly 400 web-based Human Machine Interfaces (HMIs) connected to U.S. water facilities exposed directly to the internet as of October, with 40 systems being fully unauthenticated and controllable. Following disclosure to the EPA and the software vendor, a coordinated response led to significant remediation, reducing exposed systems to under six percent within a few months. The incident highlights the critical risk presented by unsecured, internet-facing industrial control systems (ICS) interfaces.
## Incident Details
- **Discovery Date:** Late October (when the initial research and quantification concluded).
- **Incident Date:** Prior to October (when systems were initially exposed).
- **Affected Organization:** Nearly 400 U.S. water facilities.
- **Sector:** Utilities (Water Treatment).
- **Geography:** United States.
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to October research timeline.
- **Vector:** Internet exposure through web servers running HMI/SCADA software.
- **Details:** Researchers used TLS certificate analysis combined with automated screenshot capture to identify exposed systems.
### Lateral Movement
*Not directly applicable; this was an exposure discovery, not a post-breach investigation.* The primary vulnerability was direct internet access to the HMI application layer.
### Data Exfiltration/Impact
- **Impact:** The most severe impact was the potential for unauthorized control of water treatment processes via 40 completely unauthenticated HMI connections, alongside read-only access to hundreds of others.
### Detection & Response
- **Detection:** Discovered by Censys researchers during routine analysis of ICS hosts using the Censeye tool, identifying unique TLS certificates associated with "SCADA" keywords.
- **Response Actions:** Censys alerted the U.S. Environmental Protection Agency (EPA) and the software vendor (the manufacturer). The EPA coordinated remediation efforts with affected utilities.
## Attack Methodology
- **Initial Access:** Direct port exposure accessible via standard web browsers (no specialized ICS protocol knowledge required). Attackers only needed the IP and port.
- **Persistence:** Not applicable (exposure was passive).
- **Privilege Escalation:** Not applicable to the researcher finding, but for a malicious actor, exploiting unauthenticated or read-only access would be the first step to potential control.
- **Defense Evasion:** The systems were inherently exposed due to misconfiguration (lack of firewalling/authentication).
- **Credential Access:** Not required for the 40 fully unauthenticated systems.
- **Discovery:** Attackers could use the HMI interface to map the entire system via "Graphic Screens," "Controls," and status pages.
- **Lateral Movement:** Access to HMI implies the potential to interact with the underlying ICS network.
- **Collection:** System status information, configuration details, and operational context were available via basic web endpoints like `System.php`.
- **Exfiltration:** Not the primary threat noted, but control/manipulation was possible.
- **Impact:** Potential manipulation of water treatment processes, setting points, and alarm silencing.
## Impact Assessment
- **Financial:** Not specified in the report.
- **Data Breach:** Operational visibility and configuration details of water treatment plants were exposed.
- **Operational:** High risk of operational disruption, manipulation of treatment levels, or safety compromise if malicious actors exploited the 40 completely open systems.
- **Reputational:** Potential high reputational damage to affected utilities and the software vendor if the scope of exposure became public before remediation.
## Indicators of Compromise
*Note: Since this was a vulnerability identification rather than an active intrusion, IOCs focus on the exposed configuration:*
- **Network Indicators (Defanged):** Hosts returning TLS certificates associated with **SCADA** software, running **PHP** web servers, communicating via standard HTTP/S ports.
- **File Indicators:** Web interface structure utilizing endpoints such as `index.php` and `System.php`.
- **Behavioral Indicators:** Web servers providing structured response bodies containing format like 'PRODUCT—OWNER—LOCATION'.
## Response Actions
- **Containment Measures:** 24% secured within nine days; 58% secured in the following weeks through outreach coordinated by the EPA.
- **Eradication Steps:** Utilities were guided to implement proper authentication, move HMIs to read-only configurations if necessary, or fully disconnect them from direct internet access.
- **Recovery Actions:** Utilities successfully closed the vast majority of exposure paths, dropping the exposed count to under 6%.
## Lessons Learned
- **Key Takeaways:** Internet-exposed HMIs provide critical context (viewport into live processes) that make them highly attractive targets compared to merely exposed ICS protocols.
- **Gaps:** Software manufacturers often respond sluggishly to vulnerability disclosures, emphasizing the need for regulatory intervention or high-level government coordination (EPA). Unauthenticated internet exposure of control systems remains a significant hygiene failure in critical infrastructure.
- **Success Factor:** The coordinated intervention by the EPA proved exceptionally effective in achieving rapid remediation rates.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Implement mandatory MFA/strong authentication for all remote access to HMI/SCADA systems.
2. Ensure all ICS/OT assets, especially HMIs, are segmented and isolated from the public internet via robust perimeter security (firewalls and DMZs).
3. Software vendors must embed more secure default configurations that prevent unauthenticated or overly permissive read/write access upon deployment.
4. Increase proactive external monitoring (via services like Censys) to detect unauthorized public exposure quickly.