Misconfigured HMIs Leave U.S. Water Systems Exposed

Hundreds of dashboard interfaces used to control U.S. water utility systems have been found accessible on the open internet, according to researchers at Censys. The exposed human-machine interfaces (HMIs), which are commonly used in industrial control systems, were misconfigured in a way that allowed anyone with a web browser to view sensitive control-room data.

Investigators followed digital clues to locate the publicly available HMIs, raising concerns over the cybersecurity posture of critical U.S. infrastructure. These interfaces often provide real-time visualizations of operational activity and system status, and their exposure could offer attackers valuable insight into utility operations.

The discovery underscores the persistent security risks tied to industrial systems being improperly connected to the internet. While no specific breaches were reported, the visibility of these control systems increases the potential for cyberattacks or inadvertent disruptions. The findings highlight the need for stronger access controls and network segmentation in public utility networks.