ICS Vulnerabilities Found in Hundreds of Water Utilities
Image courtesy of Bryan Jones under Attribution-NonCommercial-NoDerivs 2.0 Generic Deed, resized to 700 x 391 pixels.
Research from late 2024 found that hundreds of water treatment facilities had vulnerabilities in their industrial control systems (ICS) that placed them at risk of a cyber-attack. Essentially, many of these critical pieces of equipment were discovered to be accessible – by anybody – via the internet.
The good news is that the industry took note and many of the issues have been mitigated. That said, the fact that it got to that point in the first place portends a larger issue.
Details of the Water Utility Sector’s ICS Vulnerability
The water utility industry is one of the most cyber-vulnerable sectors in the U.S. due to its highly fragmented nature, aged systems, and general lack of cybersecurity resources and expertise. In fact, utility cyberattacks against ICS and other critical infrastructure, equipment and facilities have increased by an eye-popping 700% over the last few years. Simply put, water and energy sector cyber threats are everywhere, which is why the analysis is so alarming.
The research firm that conducted the analysis, Censys, found in late 2024 that a whopping 400 human-machine interfaces (HMI) had been exposed. Of these 400, 66% were configured to allow read-only access by anybody, and 10% were fully unauthenticated and controllable by anyone with a browser. Only 25% had enabled any authentication at all!
The impacted platforms all utilized the same browser-based HMI/SCADA software. The researchers contacted the HMI manufacturers, which I would assume will solve some of the problems.
The good news is that the industry reacted to the report in rapid fashion. About 25% of the impacted water utilities fixed their ICS vulnerability in less than 10 days, and 60% within 3 weeks. As of the time of this writing, less than 6% of the systems remain vulnerable, a remarkable achievement in such a short period of time.
Hopefully, the Censys report was and will continue to be a wakeup call, especially since ICS vulnerability is only one of many ways a hacker could launch an attack.
