Tag: Trust

Cyber (In)Securities – Issue 154 – Snapshot Edition

Cyber (In)Securities – Issue 154 – Snapshot Edition

You can download this edition by clicking the three dots icon on the bottom right and selecting Download PDF File. To enlarge the view, click the fullscreen icon on the bottom right. All article titles inside the flipbook are clickable links.

Cyber (In)Securities – Issue 153 

Cyber (In)Securities – Issue 153 

You can download this edition by clicking the three dots icon on the bottom right and selecting Download PDF File. To enlarge the view, click the fullscreen icon on the bottom right. All article titles inside the flipbook are clickable links.

Hack the Planet? No. Just Hack the Tap: What exposed water systems tell us about the state of cybersecurity around the world

Hack the Planet? No. Just Hack the Tap: What exposed water systems tell us about the state of cybersecurity around the world

I was already feeling twitchy about the state of critical infrastructure, but it was Ryan Naraine’s article in SecurityWeek – “Misconfigured HMIs Expose U.S. Water Systems to Anyone with a Browser” – that pushed me over the edge. Drawing on new data from Censys, Ryan has laid out in clear, horrifying terms how thousands of Human-Machine Interfaces (HMIs) tied to U.S. water and wastewater systems are exposed to the open internet, many with no passwords at all.

These are the digital control panels for water facilities. They manage everything from pump speeds to chlorine dosing. Some allow manual overrides of safety protocols. In many cases, all you need is a browser and the right URL to access them.

This is not a plot line from Mr. Robot. This is real infrastructure, vulnerable in real time. But sure, let’s keep arguing about fluoride.

What exactly is going on here?

HMIs are meant to give authorised operators a real-time view into critical systems. They were originally built for internal networks – not for the internet. But over time, convenience crept in. Engineers started putting them online for remote monitoring. And somewhere along the way, basic security got left behind.

In many cases, these systems are online with default credentials. In others, they have no authentication at all. Some can be found using simple search engines like Shodan.

And unfortunately, this is not just a theoretical risk. It has already happened:

  • In 2024, pro-Russian hacktivist groups targeted water systems in the U.S., manipulating HMIs and forcing equipment into unsafe conditions.
  • In 2023, hackers caused an overflow in Muleshoe, Texas, which forced operators to switch to manual controls.
  • In 2021, a threat actor gained remote access to the Oldsmar, Florida water plant and attempted to raise sodium hydroxide levels to dangerous concentrations. Luckily, a sharp-eyed employee noticed the changes and acted in time.

None of these required deep technical skills or nation-state funding. Just access and opportunity.

How did it get this bad?

In smaller towns and regional areas, most utilities are running on razor-thin budgets. Their focus is on delivering water, not defending against international cyber threats. Many are still relying on legacy systems that were never built with cybersecurity in mind. And while digitisation has made operations more efficient, it has also introduced new, unmanaged risks.

No one meant for things to be this insecure. But without clear standards, without dedicated security resources, and without the money to fix what’s broken, this is where we’ve landed.

Is this just an American problem? Not even close.

The Censys scan focused on U.S. systems, but the issue is global. Industrial control systems are exposed in countries around the world — Australia, the UK, Brazil, Indonesia, Germany. Wherever water infrastructure has been digitised without proper security, the risks are there.

In lower-income regions, systems are often rolled out quickly, with little cyber planning. In wealthier nations, decentralised governance means hundreds of small operators each manage their own infrastructure – and many are flying blind.

Shodan makes this visibility possible for anyone. And unfortunately, that includes people who are not just curious.

What should we be doing about this?

We know what needs to be done. The challenge is the will – and the funding – to do it.

Here’s where to start:

  • Remove HMIs from the public internet unless there is an absolutely compelling reason not to
  • Enforce strong authentication and disable default credentials
  • Fund shared security services for smaller utilities
  • Conduct national-level scans to map exposure and prioritise fixes
  • Build minimum security requirements into regulation, not as a nice-to-have but as core infrastructure policy

Security is not something we can bolt on later. It has to be built in from the beginning, and it has to be maintained with the same urgency as any other critical safety function.

Final thought

We have spent decades debating what should go in the water. We have opinions on fluoride, chlorine, and microplastics. Meanwhile, no one stopped to ask whether the control panel was sitting online with no password.

This is not a hypothetical crisis. It is already happening, and it is fixable – but only if we stop treating cybersecurity like someone else’s problem.

At the very least, we should start by locking the door before the taps are turned off.


About the Author:

Kim Chandler McDonald is the Co-Founder and CEO of 3 Steps Data, driving data/digital governance solutions.
She is the Global VP of CyAN, an award-winning author, storyteller, and advocate for cybersecurity, digital sovereignty, compliance, governance, and end-user empowerment.

Board Member Spotlight: Adj. Prof. Dr. Greg Dzsinich, LLM, CIPP/E

Board Member Spotlight: Adj. Prof. Dr. Greg Dzsinich, LLM, CIPP/E

One idea that continues to guide his leadership comes from his time at Microsoft. When he joined the company in 2008, he was struck by a powerful metaphor. If we sit in one boat, we must not only row well. We must also remain in 

“What happens to Heroes?” EPISODE #6: The Unsung Heroes of the digital world by Didier Annet

“What happens to Heroes?” EPISODE #6: The Unsung Heroes of the digital world by Didier Annet

The Psychological Impacts of Cyberattacks What I will call the “Heroes” Let’s Rewrite the Story of a Cyberattack – Alternate History of a winning scenario Excerpt From the Interview Typical identification factor: “Right reflexes, right roles — from click to crisis” About the Author Didier 

Cyber (In)Securities – Issue 152 – Snapshot Edition

Cyber (In)Securities – Issue 152 – Snapshot Edition

You can download this edition by clicking the three dots icon on the bottom right and selecting Download PDF File. To enlarge the view, click the fullscreen icon on the bottom right. All article titles inside the flipbook are clickable links.

Cyber (In)Securities – Issue 151 – Snapshot Edition

Cyber (In)Securities – Issue 151 – Snapshot Edition

You can download this edition using the download icon at the bottom. To enlarge the view, click the fullscreen icon on the bottom right. All article titles inside the flipbook are clickable links.

Cyber (In)Securities – Issue 150 – Snapshot Edition

Cyber (In)Securities – Issue 150 – Snapshot Edition

You can download this edition using the download icon at the bottom. To enlarge the view, click the fullscreen icon on the bottom right. All article titles inside the flipbook are clickable links.

Welcome New Member – Sapann Talwar from Australia

Welcome New Member – Sapann Talwar from Australia

Please welcome our newest member from Australia, Sapann Talwar


Sapann is a seasoned Cybersecurity and Risk management practitioner with 26+ years of industry experience. He specializes in safeguarding ‘Data’ against evolving cyber threats and has a strong track record in developing and executing security strategies for global MNCs across diverse sectors, including BFSI, Manufacturing, IT, and Software Development.

Throughout his career, Sapann has led the design and implementation of resilient cybersecurity programs, aligning robust security architectures with business growth and innovation objectives. His expertise spans IT and OT environments, focusing on risk mitigation, threat monitoring, and disaster recovery.

Renowned for driving measurable outcomes and cultivating strategic alliances as a CXO advisor, Sapann is adept at leading high-performing, cross-functional teams. His leadership ensures smooth security operations, proactive risk management, adherence to industry standards, and regulatory compliance. Committed to fostering a secure and resilient digital environment, Sapann continues to champion forward-looking cybersecurity strategies that enable enterprise-wide value creation.

It’s good to have you, Sapann! We look forward to the expertise you bring and enabling you here at CyAN. Don’t hesitate to reach out or explore Sapann’s profile to grow your networks mutually.

“What Happens to Heroes?” – Episode #5: The Unsung Heroes of the Digital World

“What Happens to Heroes?” – Episode #5: The Unsung Heroes of the Digital World

The Psychological Impacts of Cyberattacks This is the fifth episode in our ongoing series about the individuals who, in a matter of moments, transition from employees to rescuers in the aftermath of a destructive cyberattack. These are what I call the “Heroes.” Let’s Rewrite the