In June 2025, the EPA’s Water Infrastructure and Cyber Resilience Division (WICRD) notified the Water Quality Control Division (WQCD) that they had identified potential cybersecurity vulnerabilities at four Colorado public water systems (PWSs). While scanning for vulnerable devices, EPA identified the specific TCP/IP addresses of four BIF3800 SCADA Control Systems that were internet-exposed and could potentially allow a remote user to access the device and disrupt the utility’s operations. WQCD Field Services immediately reached out to the four water systems to notify them of the potential vulnerability so they could take action to protect their systems.
Many utilities installed SCADA BIF3800 units as early as the 1990s and were controlling ancillary processes in the distribution systems of the water systems. There was a common thought that hackers would not be interested in equipment that is so old, or that the older control systems would be less vulnerable to cyber attacks. Unfortunately, hackers can exploit any internet-exposed interfaces like these. The EPA and the Cybersecurity and Infrastructure Security Agency (CISA) recently published this joint fact sheet, which highlights the risks posed by internet-exposed Human Machine Interfaces (HMIs), including how hackers can find and exploit HMIs with cybersecurity weaknesses easily. The EPA and CISA fact sheet includes recommended mitigations to secure HMIs, including:
- Conduct an inventory of all internet-exposed devices.
- If possible, disconnect HMIs and all other accessible and unprotected systems from the public-facing internet.
- If it is not possible to disconnect the device, secure it by creating a username and a strong password to prevent a threat actor from easily viewing and accessing the device. Change factory default passwords.
Thankfully, the four water systems quickly responded to remove the exposure and did not experience any cyber events due to this issue. The CISA team in Colorado also reached out to the water systems to provide technical support to mitigate the vulnerabilities.
WQCD encourages water systems to continue to evaluate and protect their systems against cyber threats. Utilities that need support can contact the Colorado CISA Team, including Edward (Charlie) Marmon at edward.marmon@cisa.dhs.gov or Kindra Brewer at kindra.brewer@cisa.dhs.gov, and the EPA’s Cybersecurity Technical Assistance Help Desk is also available for assistance. The WQCD Drinking Water Security Response Toolbox is a one-stop shop for security resources.
➽ Heather Young, PE, CWP, Field Services Section Manager
➽ Naheem Noah, Field Services Section
