Water, water everywhere: Finding and remediating internet-connected Industrial Control Systems

Web-based Human-Machine Interfaces (HMIs) have made accessing critical control systems simple and easy with engineers able to quickly check and adjust the status and operation of all kinds of systems and services.

But exposing these interfaces to the public internet can increase organisational risk if sensitive services are not well secured.

Researchers at Censys, a U.S. platform provider focused on "mapping the world's networks, devices, and internet-facing attack surfaces" have published a report on how it discovered 400 web-based HMIs for U.S. water facilities exposed online and then took action to secure the systems.

For those not familiar with HMIs, the research provides background information on the risks of web facing systems and describes how the company verified the criticality of the systems scanned and directed efforts to secure critical water operations.

Scanning the internet for vulnerabilities

Censys provides real-time internet visibility and intelligence and the company has its roots in the ZMap open source scanner created by Zakir Durumeric at the University of Michigan.

CNI operators should be proactively monitoring their own internet facing assets to stay ahead of attackers and the U.S. cybersecurity agency CISA provides high level guidance on how to use the platform as an attack surface reduction tool.

In October 2024, the company's researchers discovered almost 400 web-based HMIs for U.S. water facilities exposed online. Through TLS certificate analysis and reviewing screenshots of the target systems, Censys worked with the software vendor and the Environmental Protection Agency (EPA) to contact operators and secure almost all of the systems discovered.

The systems scanned used the same browser-based HMI/SCADA software and were found in one of three states:

• Authenticated (credentials required)
• Read-only (viewable without control)
• Unauthenticated (full access without credentials)

40 systems were fully unauthenticated and controllable by anyone with a browser, a potentially high risk position for critical infrastructure operators. Censys states: "These interfaces act as literal viewports into live industrial processes."

Attackers use similar tooling to scan the internet and identify future targets where they can disrupt or destroy critical functions. The report highlights why such systems should be identified and actively managed by operators and secured behind authentication at a minimum. Vendor guidance should be actively addressed at the time of implementation and continuous assurance used to verify security status.

In this case, Censys and the EPA collaborated to remediate the discovered systems with fewer than 6% still online in a read-only or unauthenticated state by May this year.

Have a read of the research online and consider if you are proactively and effectively managing your ICS attack surface.