I was already feeling twitchy about the state of critical infrastructure, but it was Ryan Naraine’s article in SecurityWeek – “Misconfigured HMIs Expose U.S. Water Systems to Anyone with a Browser” – that pushed me over the edge. Drawing on new data from Censys, Ryan has laid out in clear, horrifying terms how thousands of Human-Machine Interfaces (HMIs) tied to U.S. water and wastewater systems are exposed to the open internet, many with no passwords at all.

These are the digital control panels for water facilities. They manage everything from pump speeds to chlorine dosing. Some allow manual overrides of safety protocols. In many cases, all you need is a browser and the right URL to access them.

This is not a plot line from Mr. Robot. This is real infrastructure, vulnerable in real time. But sure, let’s keep arguing about fluoride.

What exactly is going on here?

HMIs are meant to give authorised operators a real-time view into critical systems. They were originally built for internal networks – not for the internet. But over time, convenience crept in. Engineers started putting them online for remote monitoring. And somewhere along the way, basic security got left behind.

In many cases, these systems are online with default credentials. In others, they have no authentication at all. Some can be found using simple search engines like Shodan.

And unfortunately, this is not just a theoretical risk. It has already happened:

• In 2024, pro-Russian hacktivist groups targeted water systems in the U.S., manipulating HMIs and forcing equipment into unsafe conditions.
• In 2023, hackers caused an overflow in Muleshoe, Texas, which forced operators to switch to manual controls.
• In 2021, a threat actor gained remote access to the Oldsmar, Florida water plant and attempted to raise sodium hydroxide levels to dangerous concentrations. Luckily, a sharp-eyed employee noticed the changes and acted in time.

None of these required deep technical skills or nation-state funding. Just access and opportunity.

How did it get this bad?

In smaller towns and regional areas, most utilities are running on razor-thin budgets. Their focus is on delivering water, not defending against international cyber threats. Many are still relying on legacy systems that were never built with cybersecurity in mind. And while digitisation has made operations more efficient, it has also introduced new, unmanaged risks.

No one meant for things to be this insecure. But without clear standards, without dedicated security resources, and without the money to fix what’s broken, this is where we’ve landed.

Is this just an American problem? Not even close.

The Censys scan focused on U.S. systems, but the issue is global. Industrial control systems are exposed in countries around the world — Australia, the UK, Brazil, Indonesia, Germany. Wherever water infrastructure has been digitised without proper security, the risks are there.

In lower-income regions, systems are often rolled out quickly, with little cyber planning. In wealthier nations, decentralised governance means hundreds of small operators each manage their own infrastructure – and many are flying blind.

Shodan makes this visibility possible for anyone. And unfortunately, that includes people who are not just curious.

What should we be doing about this?

We know what needs to be done. The challenge is the will – and the funding – to do it.

Here’s where to start:

• Remove HMIs from the public internet unless there is an absolutely compelling reason not to
• Enforce strong authentication and disable default credentials
• Fund shared security services for smaller utilities
• Conduct national-level scans to map exposure and prioritise fixes
• Build minimum security requirements into regulation, not as a nice-to-have but as core infrastructure policy

Security is not something we can bolt on later. It has to be built in from the beginning, and it has to be maintained with the same urgency as any other critical safety function.

Final thought

We have spent decades debating what should go in the water. We have opinions on fluoride, chlorine, and microplastics. Meanwhile, no one stopped to ask whether the control panel was sitting online with no password.

This is not a hypothetical crisis. It is already happening, and it is fixable – but only if we stop treating cybersecurity like someone else’s problem.

At the very least, we should start by locking the door before the taps are turned off.