Tag: Cybercrime
Hack the Planet? No. Just Hack the Tap: What exposed water systems tell us about the state of cybersecurity around the world
I was already feeling twitchy about the state of critical infrastructure, but it was Ryan Naraine’s article in SecurityWeek – “Misconfigured HMIs Expose U.S. Water Systems to Anyone with a Browser” – that pushed me over the edge. Drawing on new data from Censys, Ryan has laid out in clear, horrifying terms how thousands of Human-Machine Interfaces (HMIs) tied to U.S. water and wastewater systems are exposed to the open internet, many with no passwords at all.
These are the digital control panels for water facilities. They manage everything from pump speeds to chlorine dosing. Some allow manual overrides of safety protocols. In many cases, all you need is a browser and the right URL to access them.
This is not a plot line from Mr. Robot. This is real infrastructure, vulnerable in real time. But sure, let’s keep arguing about fluoride.
What exactly is going on here?
HMIs are meant to give authorised operators a real-time view into critical systems. They were originally built for internal networks – not for the internet. But over time, convenience crept in. Engineers started putting them online for remote monitoring. And somewhere along the way, basic security got left behind.
In many cases, these systems are online with default credentials. In others, they have no authentication at all. Some can be found using simple search engines like Shodan.
And unfortunately, this is not just a theoretical risk. It has already happened:
- In 2024, pro-Russian hacktivist groups targeted water systems in the U.S., manipulating HMIs and forcing equipment into unsafe conditions.
- In 2023, hackers caused an overflow in Muleshoe, Texas, which forced operators to switch to manual controls.
- In 2021, a threat actor gained remote access to the Oldsmar, Florida water plant and attempted to raise sodium hydroxide levels to dangerous concentrations. Luckily, a sharp-eyed employee noticed the changes and acted in time.
None of these required deep technical skills or nation-state funding. Just access and opportunity.
How did it get this bad?
In smaller towns and regional areas, most utilities are running on razor-thin budgets. Their focus is on delivering water, not defending against international cyber threats. Many are still relying on legacy systems that were never built with cybersecurity in mind. And while digitisation has made operations more efficient, it has also introduced new, unmanaged risks.
No one meant for things to be this insecure. But without clear standards, without dedicated security resources, and without the money to fix what’s broken, this is where we’ve landed.
Is this just an American problem? Not even close.
The Censys scan focused on U.S. systems, but the issue is global. Industrial control systems are exposed in countries around the world — Australia, the UK, Brazil, Indonesia, Germany. Wherever water infrastructure has been digitised without proper security, the risks are there.
In lower-income regions, systems are often rolled out quickly, with little cyber planning. In wealthier nations, decentralised governance means hundreds of small operators each manage their own infrastructure – and many are flying blind.
Shodan makes this visibility possible for anyone. And unfortunately, that includes people who are not just curious.
What should we be doing about this?
We know what needs to be done. The challenge is the will – and the funding – to do it.
Here’s where to start:
- Remove HMIs from the public internet unless there is an absolutely compelling reason not to
- Enforce strong authentication and disable default credentials
- Fund shared security services for smaller utilities
- Conduct national-level scans to map exposure and prioritise fixes
- Build minimum security requirements into regulation, not as a nice-to-have but as core infrastructure policy
Security is not something we can bolt on later. It has to be built in from the beginning, and it has to be maintained with the same urgency as any other critical safety function.
Final thought
We have spent decades debating what should go in the water. We have opinions on fluoride, chlorine, and microplastics. Meanwhile, no one stopped to ask whether the control panel was sitting online with no password.
This is not a hypothetical crisis. It is already happening, and it is fixable – but only if we stop treating cybersecurity like someone else’s problem.
At the very least, we should start by locking the door before the taps are turned off.
About the Author:
Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.
Board Member Spotlight: Adj. Prof. Dr. Greg Dzsinich, LLM, CIPP/E
One idea that continues to guide his leadership comes from his time at Microsoft. When he joined the company in 2008, he was struck by a powerful metaphor. If we sit in one boat, we must not only row well. We must also remain in …
“What happens to Heroes?” EPISODE #6: The Unsung Heroes of the digital world by Didier Annet
The Psychological Impacts of Cyberattacks What I will call the “Heroes” Let’s Rewrite the Story of a Cyberattack – Alternate History of a winning scenario Excerpt From the Interview Typical identification factor: “Right reflexes, right roles — from click to crisis” About the Author Didier …
CyAN Mentorship Wrap-Up – 2025-1
CyAN is nearing the end of its spring 2025 mentorship programme. We extend a sincere thank you to our members who have agreed to contribute to the development of new talent entering the information security sector: Saba Bahgeri (Australia), Mohammed Shakil Khan (UAE), Mathew Nicho (UAE), Shantanu Bhattacharya (Australia), Bharat Raigangar (UAE), and John Salomon (Spain), and to the mentees they have worked with for 3 months.
In 2023, our then-Secretary General James Briscoe and I decided that it would make sense for CyAN to try and create a mentorship programme. CyAN’s mission includes contributing to the security, trust, safety, and resilience around the global information space. This involves helping to strengthen the talent pipeline for an industry perpetually struggling with identifying and supporting new professionals.
More importantly, mentorship is a way for CyAN members to share their knowledge and experience with the next generation. Many of us were fortunate enough in the early stages of our careers to benefit from established experts who took the time to help us getting started, whether by answering questions or making introductions to their own networks; it seemed only fair to give the CyAN community a way to do the same. As importantly, mentorship is a great way for those of us with long careers behind us to learn from fresh faces about new technologies, norms, attitudes, and methods of working. Every generation brings new experiences and approaches that can help us as mentors continue to develop our skills and ways of thinking, as we help our successors to leverage and develop their own qualities.
The 2023 pilot was an experiment in learning-by-doing. CyAN had a lot of opportunity to expand our membership and activities after its first few years of existence, and the launch of our mentorship project was just one of many ways to get members engaged and to raise CyAN’s profile across the industry. With 6 mentors and 7 candidates, everything about the pilot was improvised, sometimes from scratch, sometimes from borrowing from our experience with other such initiatives. Nonetheless, the pilot was a rewarding experience all around, with several of the candidates going on to join CyAN as active and contributing members. We look forward to the contributions the mentees will make to CyAN, whether through blog posts, podcasts, presentations, or other ways of teaching us about their own projects and knowledge, and in turn encourage all CyAN members to continue to support them as new members, with the same level of networking help and other professional support that is a hallmark of our professional community.
After a break in 2024 to focus on membership growth and consolidation, we’re now nearing the end of our second mentorship run. The cohort of candidates is refreshingly diverse, including both female and male students and recent graduates from the APAC and South Asia region, while 2023 was more focused on EMEA and North America. Likewise, our mentors represent the demographics of our growing membership, whether in terms of professional profile, location, or who they are as individuals.
As our first intake for 2025 starts wrapping up, we are already planning for a second group of mentors and candidates in the second half of the year. We’re in discussion with numerous other friendly associations and schools to identify promising candidates for the next intake, and look forward to bringing yet another group of fresh, motivated, smart faces into the organisation.
Welcome New Member – Sapann Talwar from Australia
Please welcome our newest member from Australia, Sapann Talwar
Sapann is a seasoned Cybersecurity and Risk management practitioner with 26+ years of industry experience. He specializes in safeguarding ‘Data’ against evolving cyber threats and has a strong track record in developing and executing security strategies for global MNCs across diverse sectors, including BFSI, Manufacturing, IT, and Software Development.
Throughout his career, Sapann has led the design and implementation of resilient cybersecurity programs, aligning robust security architectures with business growth and innovation objectives. His expertise spans IT and OT environments, focusing on risk mitigation, threat monitoring, and disaster recovery.
Renowned for driving measurable outcomes and cultivating strategic alliances as a CXO advisor, Sapann is adept at leading high-performing, cross-functional teams. His leadership ensures smooth security operations, proactive risk management, adherence to industry standards, and regulatory compliance. Committed to fostering a secure and resilient digital environment, Sapann continues to champion forward-looking cybersecurity strategies that enable enterprise-wide value creation.
It’s good to have you, Sapann! We look forward to the expertise you bring and enabling you here at CyAN. Don’t hesitate to reach out or explore Sapann’s profile to grow your networks mutually.
“What Happens to Heroes?” – Episode #5: The Unsung Heroes of the Digital World
The Psychological Impacts of Cyberattacks This is the fifth episode in our ongoing series about the individuals who, in a matter of moments, transition from employees to rescuers in the aftermath of a destructive cyberattack. These are what I call the “Heroes.” Let’s Rewrite the …