When Mark Ellzey, a senior security researcher at Censys, stumbled upon exposed water facilities online, he thought it might have been a joke, or even a honeypot. The more the team dug, the worse it got—Censys found almost 400 web-based Human-Machine Interfaces (HMIs) for water facilities in the US unprotected online.
In order to start remediation efforts, Ellzey, Censys Principal Security Researcher Emily Austin, and the team contacted the host of the critical infrastructure, or industrial control systems (ICS), which had a “tepid response.” So, the team contacted the Environmental Protection Agency.
“A lot of people, when they think of critical infrastructure and ICS, it’s some complex protocol and stuff like that,” Ellzey said. “When all I had to do was look [on the internet]…That’s bad these things have been sitting out there for who knows how long. It feels bad in that way because it’s an exposure that should not exist.”
Within nine days of the systems being found in October, 24% of them had been secured. As of May, less than 6% of the systems are still online in read-only or unauthenticated states.
EPA spokesperson Carolyn Holran told IT Brew the agency, under a contract with Censys, conducts cybersecurity vulnerability scanning nationwide to identify internet-connected and water system-owned devices that are vulnerable.
Austin told IT Brew that prior to last year’s discovery, Censys had worked with the EPA and had produced a “large report on water and wastewater exposures on the internet earlier in the year.”
“When we were taking that out, we found all of these things,” Austin said. “Again, we need to do something about this, and EPA was the organization that really raised their hand.”
So random. Ellzey said Censys is always trying to find “things” on the internet, but it’s not always clear what those things are.
“Especially in the world of critical infrastructure, ICS, there’s a whole bunch of stuff out there, but it might not actually be critical infrastructure,” Ellzey said. “You gotta figure out what’s the difference between the two. We’re always, constantly looking for new things that come up.”
Ellzey described stumbling into the exposed water facilities as “random poking at random places on random posts.”
The team was looking at Transport Layer Security (TLS) certificates and the organization string on the certificate clued them in; it was the same across hundreds of hosts. Ellzey said they thought it might’ve been a honeypot, which is when someone on the internet tries to make a host look like something it’s not in order to see if anybody is trying to “hit that host,” according to Ellzey.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
This was easy to eliminate from the equation since the posts existed on mobile and residential networks, Ellzey said. “If somebody were to stage a mass honeypot network, they would need to buy like Comcast accounts and things like that, so it’s just out of the question.”
Austin said what Censys found was something you could look at in your web browser.
“If you know the IP address and the port where this lives, you can look at it, we could send you links to them and you could look at them,” Austin said. “That level of access and the ease of access was something that was just very jarring to us…[It] didn’t require specialized expertise or any kind of specialized knowledge to really find them.”
Let’s get remediated. While Censys was not hands-on with the mitigation itself, Austin said the team was “essentially a data supplier” and measured the progress over time. Censys worked to find the data, share it with EPA, and continue to validate that the remediation was working.
“We sent the initial list, we exchanged messages with our EPA contract, and they worked with the manufacturer and these utilities on our side,” Austin said. “We also measure the number of these online that were still unauthenticated or just fully exposed.”
Ellzey came up with the determinations for the different states of being for the HMIs (authenticated, read-only, and unauthenticated). He also wrote the tooling to go interact with remote services and pull screenshots, contact information, and then determine the state of the system.
Austin said the tooling script that Ellzey wrote was fed IP address data from Censys based on the specific criteria available. Since the team knew the TLS certificate value, they wanted to find the IP addresses and find which category it fell into.
EPA and the agency’s vendor are still working to remediate the exposed HMIs, and Austin said the Censys team still reaches out to EPA should any other vulnerabilities be found.
“On us, it’s continuing to do the discovery, continuing to kick over rocks and find these things,” Austin said. “Finding these and then making sure they get shared with the right people who can actually do something about it.”
Ellzey added: “I’ve been chasing that dragon ever since we found it initially, this is a once-in-a-lifetime cool find.”
Correction 06/12/25: An earlier version of this story misattributed the number of contracts between the EPA and Censys Technologies to Censys.