Misconfigured HMIs Expose U.S. Water Systems to Public Internet

Nearly 400 web-based Human-Machine Interfaces (HMIs) tied to U.S. water and wastewater systems were found exposed to the public internet, according to research published in May 2025. These interfaces, which are designed to manage critical operational functions like pump control, tank monitoring, and chemical dosing, were never intended for external access. Yet many remained online, with 95 requiring credentials, 264 offering read-only access, and a troubling 40 completely unauthenticated—meaning anyone with a browser could interact with them.

These misconfigurations significantly raise the risk of cyberattacks, particularly as threat actors continue to exploit critical infrastructure weaknesses. Past incidents—such as the 2021 Oldsmar, Florida water plant attack and 2024 campaigns by pro-Russian hacktivists—demonstrate how exposed HMIs can be weaponized to manipulate chemical levels or disrupt services.

Resource.

To help mitigate these risks, InfoSight Inc. provides a suite of specialized OT cybersecurity services tailored for water and wastewater systems. Our SCADA and ICS risk assessments identify misconfigured HMIs, insecure remote access points, and segmentation failures. InfoSight’s 24x7x365 OT network monitoring delivers real-time anomaly detection, powered by live cybersecurity analysts who detect and contain unauthorized access before it escalates. Through our proprietary Mitigator™ platform, utilities can streamline vulnerability remediation with context-aware risk scoring and integrated ticketing. We also support utilities with secure network architecture design, endpoint hardening, and compliance alignment with EPA, NIST CSF, and ISA/IEC 62443 frameworks.

Backed by over two decades of experience supporting U.S. utilities, InfoSight stands apart through our Perform Guarantee and flexible “easy-out” contract model. We deliver on strict SLAs, ensuring accountability and measurable outcomes every step of the way.

The exposure of these HMIs is a wake-up call. Without visibility, segmentation, and continuous monitoring, critical water infrastructure remains dangerously vulnerable. InfoSight helps utilities take decisive action—before adversaries do.