Jessica Ohnona / EVP Data Science and Analytics
June 18, 2025
A deeper look at operational blind spots in critical infrastructure
What’s Actually Happening and Why It is Dangerous
A recent SecurityWeek report identified nearly 400 browser-accessible Human-Machine Interfaces (HMIs) connected to U.S. water and wastewater infrastructure. Shockingly, over 40 of these were completely unauthenticated, meaning that anyone with an internet connection and a browser could potentially issue commands to control pumps, valves, or chemical dosing in real time.
This is not a minor oversight. When HMIs are exposed like this, they can allow malicious actors or even unintentional users to manipulate critical water treatment processes. These are not theoretical vulnerabilities; similar exposures have led to real-world consequences, such as the Muleshoe, Texas incident in 2024, where attackers accessed water systems and caused tank overflows.
This is an Operational Risk, Not Just a Cybersecurity Concern
HMIs are not just interfaces, they are operational control points. Exposing them does not just pose a risk to cybersecurity, it directly impacts physical processes. If an attacker opens a backwash valve at the wrong time, the result can be pressure loss across the water system, which in turn risks contaminating drinking water. If turbidity or chemical feed values are spoofed to appear normal, serious faults could go undetected until a health violation occurs. And if high-service pumps are shut off remotely, operators may be forced into manual overrides, raising both safety and regulatory concerns.
These outcomes are not speculative, they represent a convergence of cybersecurity, safety, and public health issues. The mere fact that an HMI is discoverable through a basic browser query should be viewed as a process failure, whether an actual attack has occurred.
Traditional Cybersecurity Tools Are not Built for This Problem
Most tools deployed in critical infrastructure environments are designed for enterprise IT not for industrial operational technology (OT). They depend heavily on IP-based traffic analysis, perimeter firewalls, and log correlation, none of which are effective in capturing the behavior of non-IP devices. In many water systems, some of the most critical communications such as serial signals from Modbus RTU or 4-20mA analog values—are completely invisible to these tools.
Even when legacy systems are technically connected to IP networks, they often lack the ability to support deep packet inspection or detailed protocol analysis. As a result, a malicious command could be issued to a controller without triggering any alerts in standard IT monitoring platforms. Industry assessments estimate that as much as 50% of OT network traffic in water utilities is not captured or analyzed due to these blind spots.
The Visibility Gap is a Physical Layer Problem
What makes this challenge more urgent is that it is rooted in the physical layers of ICS communications. True visibility means going beyond IP traffic and inspecting communications that take place over serial lines and analog signals. These include protocols like Modbus RTU, Profibus, and IEC-101/104, which are still commonly used in Level 0 and Level 1 devices within water treatment plants.
Generic intrusion detection systems may see some of this traffic if it passes through an IP bridge, but they cannot understand what a dangerous “Force Coil ON” command in Modbus means without protocol-specific context. And because many PLCs and RTUs are fragile or sensitive, any form of active polling introduces the risk of system failure. That is why industry standards, including guidance from AWWA and ISA, recommend passive, non-intrusive monitoring for safety-critical operations.
Simply put, you cannot rely on IP tools alone when your most important assets do not speak IP. You need visibility that begins at the physical connection—and that understands the protocols in use.
Cynalytica Delivers the Visibility Modern ICS Demands
Cynalytica was built to solve precisely this problem. Our platform captures and analyzes serial, analog, and IP communications from the lowest levels of the Purdue Model, providing OT teams with the full picture—without interfering with live operations.
Using SerialGuard® sensors, we passively collect RS-232/485 and 4-20mA signals directly from controllers and instruments. OTNetGuard® mirrors Ethernet traffic, allowing us to correlate it with serial and analog data. Together, these components enable our AnalytICS engine to baseline normal behavior and detect unsafe patterns across Modbus, BACnet, Profibus, and IEC protocols.
Our technology can identify abnormal command sequences, unsafe timing anomalies, and suspicious HMI activity—even if the interface is technically isolated—because the control commands must still pass through the wire. That is where we operate: at the signal level, not just the software layer.
The system operates entirely passively, ensuring compliance with OEM requirements and regulatory guidance while giving teams actionable intelligence on what is happening right now.
Move from Reactive to Proactive OT Defense
Cynalytica’s approach helps industrial operators move beyond after-the-fact detection. Our platform enables continuous monitoring of system behavior, alerting teams to anomalous commands or timing issues before they result in equipment damage or process failure. By providing deep visibility into legacy infrastructure, we help utilities extend system life without costly upgrades.
In addition, by normalizing and curating ICS data from across all communications layers, we enable integration into existing SIEM and SOC workflows. That means your cyber analysts can finally see what your process engineers have been blind and vice versa.
As water and wastewater systems face increasing attention from both nation-state and criminal actors, early detection at the control-signal layer may be your last opportunity to stop an attack before it causes real harm.
See It for Yourself at the ISA OT Cybersecurity Summit
Cynalytica will be demonstrating its full platform live at the ISA OT Cybersecurity Summit in Brussels (June 18–20, 2025). We will show real-time visibility into both IP and serial-layer communications on a working water treatment simulation, complete with live HMI behavior, legacy controllers, and analog sensors.
If you are responsible for ICS/OT, physical systems, or operational safety, stop by the Cynalytica booth for a hands-on demonstration. Want a private session? Contact us now, we will show you exactly what is happening on your network today, and what you are missing without full-layer visibility
Want to know what the industry missed and how Cynalytica built the fix? Read the full story here.