Full Report
CISA and EPA have published guidance for operators of water and wastewater systems to protect against cyber-attacks
Analysis Summary
# Best Practices: Securing Internet-Exposed Human Machine Interfaces (HMIs) in Water Systems
## Overview
These practices address the critical cybersecurity risks associated with Human Machine Interfaces (HMIs) in Water and Wastewater Systems (WWS). Exposed HMIs, which are used to manage Operational Technology (OT) and SCADA systems, present high-value targets for malicious actors who can manipulate treatment processes, disable alarms, or cause facility shutdowns, potentially compromising essential public services.
## Key Recommendations
### Immediate Actions
1. **Disconnect All Internet Exposure:** Immediately review and disconnect any Human Machine Interfaces (HMIs) directly accessible from the public internet. HMIs should not be reachable without navigating through secure, segregated corporate or operational networks.
2. **Enforce Strong Credential Hygiene:** Conduct an immediate audit of all HMI, SCADA, and related system accounts. Enforce the use of strong, complex passwords across all interfaces and administrative accounts.
3. **Verify Access Control:** Manually verify that administrative passwords have not been altered by unauthorized parties and that existing operator access levels reflect the principle of least privilege.
### Short-term Improvements (1-3 months)
1. **Implement Multi-Factor Authentication (MFA):** Deploy Multi-Factor Authentication (MFA) for all remote access points, VPNs, and any user logging into internet-facing controls or HMIs.
2. **Deploy Network Segmentation:** Implement network segmentation to isolate OT networks (where HMIs reside) from IT networks. Utilize a Demilitarized Zone (DMZ) architecture to create a buffer layer between enterprise networks and industrial control systems.
3. **Schedule Regular Patch Management:** Immediately establish a prioritized schedule for updating all HMI software, firmware, and underlying operating systems. Focus patches on known vulnerabilities affecting remote access components first.
### Long-term Strategy (3+ months)
1. **Establish Comprehensive Monitoring:** Implement 24/7 monitoring for login attempts, configuration changes, and unusual activity on HMI and SCADA systems. Develop and practice defined incident response playbooks for detecting and investigating suspicious activity.
2. **Develop Manual Contingency Plans:** Formulate and regularly test detailed contingency plans for operations that must revert entirely to manual control in the event of a significant cyber incident or system lockout.
3. **Conduct Recurring Vulnerability Scanning:** Register for and utilize free vulnerability scanning services offered by organizations like CISA to proactively identify and remediate network weaknesses pointing toward OT assets.
4. **Adopt Phased Hardening:** Continuously review and apply hardening guidelines (such as those from CISA/EPA) to all OT components, prioritizing remote access paths and authentication mechanisms.
## Implementation Guidance
### For Small Organizations
- **Prioritize Quick Fixes:** Focus resources heavily on immediate actions: disconnecting public internet access and enforcing strong passwords immediately.
- **Utilize Free Services:** Leverage free resources like CISA’s vulnerability scanning services to augment limited internal security staff capabilities.
- **Outsourced Segmentation:** If internal expertise is lacking, engage a trusted third-party vendor to assist in architecting and implementing foundational network segmentation around HMIs.
### For Medium Organizations
- **Pilot MFA Deployment:** Begin a targeted rollout of MFA on a pilot basis for administrative access to HMI systems before scaling across all operational staff.
- **Establish Formal Patch Cadence:** Develop a formal, documented change management process specifically for patching OT systems, understanding that patching cycles may need to be slower than IT due to operational uptime requirements.
- **Document DMZ Architecture:** Finalize and document the design specifications for the DMZ to logically separate IT and OT environments.
### For Large Enterprises
- **Full-Scale Segmentation:** Undertake a comprehensive project to fully implement defense-in-depth using network segmentation, enforcing strict firewall rules between IT, corporate services, and the OT network.
- **Integrate OT Security Monitoring:** Fully integrate HMI/SCADA anomaly detection feeds into the central Security Information and Event Management (SIEM) system, ensuring security analysts are trained on OT-specific alerts.
- **Formalized Vendor Management:** Establish security requirements within procurement and maintenance contracts for third-party vendors accessing OT systems, ensuring their remote access methods meet internal MFA/segmentation standards.
## Configuration Examples
*Specific technical configurations were not detailed in the source material (e.g., exact firewall rules or software versions). However, the following best practices imply specific configuration requirements:*
1. **Network Access Control:** Configure firewalls to explicitly **DENY ALL** traffic from the public internet (0.0.0.0/0) directed at PLC or HMI management ports (e.g., standard SCADA protocols or RDP/SSH access to the HMI server).
2. **DMZ Configuration:** Configure ingress/egress traffic rules so that HMIs can only communicate with necessary servers (e.g., historians, domain controllers for authentication) via specified, restricted ports within the DMZ boundary, preventing direct communication to the wider corporate network.
3. **Authentication Policy:** Configure HMI login prompts to enforce minimum password lengths of 14 characters or more, and require a second factor (e.g., token, biometric scan) for any account identified as having administrative privileges.
## Compliance Alignment
The principles outlined by CISA and EPA strongly align with foundational cybersecurity frameworks:
* **NIST Cybersecurity Framework (CSF):** Focuses heavily on **Identify** (Asset Management, Risk Assessment), **Protect** (Access Control, Maintenance—patching), and **Detect** (Anomalies, Monitoring).
* **CISA/EPA Guidance:** Directly supports the protective measures outlined in CISA's **Top Cyber Actions for Securing Water Systems**.
* **IEC 62443 Series:** The segmentation and access control requirements map directly to securing Industrial Automation and Control Systems (IACS) environments.
## Common Pitfalls to Avoid
* **Treating OT Security Like IT Security:** Assuming generic IT security solutions or patch cycles are immediately applicable to sensitive OT/HMI systems without rigorous testing and operational review.
* **Over-Reliance on Obscurity:** Thinking that simply changing default IP addresses or port numbers sufficiently safeguards an exposed HMI; this grants a false sense of security.
* **Ignoring Legacy Hardware:** Failing to prioritize risks associated with older HMI hardware or software that cannot support modern controls like MFA or timely patching.
* **Incomplete Documentation:** Not fully documenting the communication pathways between the HMI, PLC, and historians, leading to gaps when implementing segmentation.
## Resources
* CISA's **Internet-Exposed HMIs Pose Cybersecurity Risks to Water and Wastewater Systems** Fact Sheet (Referenced document for detailed context).
* CISA's **Top Cyber Actions for Securing Water Systems** (For comprehensive implementation guidance).
* CISA’s Free **Cyber Vulnerability Scanning Services** for Water Utilities (For proactive testing).
* EPA's Guidance on improving cybersecurity practices at drinking water and wastewater utilities.