Turning Off the (Information) Flow: Working With the EPA to Secure Hundreds of Exposed Water HMIs

In October 2024 Censys discovered almost 400 web-accessible browser-based HMIs for U.S. water treatment facilities—identified via TLS certificate analysis and screenshot extraction—including 40 fully unauthenticated systems and 264 read-only instances; Censys reported the findings to the EPA and the vendor, prompting coordinated remediation that reduced exposed systems to under 6% by May 2025.