Should HMIs be treated as IT devices or OT devices for security purposes?

HMIs require both. They run IT operating systems and are susceptible to IT attack techniques — IT-style hardening applies. But they connect to OT networks and control physical processes — OT operational constraints (availability priority, no disruptive scanning, maintenance window requirements) also apply. Security programs must bridge IT and OT practices for HMI protection.

Definition

HMI (Human Machine Interface)

The operator-facing interface for monitoring and controlling industrial equipment. HMIs are high-value attack targets because they provide direct access to physical process control.

What is HMI (Human Machine Interface)?

The operator-facing interface for monitoring and controlling industrial equipment. HMIs are high-value attack targets because they provide direct access to physical process control.

A Human Machine Interface (HMI) is the operator-facing display and control system that provides visibility into industrial processes and allows operators to monitor status, adjust setpoints, issue commands, and respond to alarms. HMIs range from dedicated panel-mounted touchscreens on a single machine to enterprise-wide SCADA visualization platforms that display process data across entire facilities. They are the point where human judgment interfaces with automated control systems.

HMIs are high-value attack targets for several reasons. They run general-purpose operating systems (Windows 10, Windows Server) that are susceptible to standard IT attack techniques — phishing, credential stuffing, RDP exploitation — giving attackers a foothold that provides direct access to industrial process controls. An attacker with HMI access can observe process state (intelligence for operational disruption planning) and issue commands to physical equipment.

Security for HMIs involves both standard IT hardening (patching, credential management, application allowlisting) and OT-specific controls (restricting network access to only required connections, monitoring for unauthorized command issuance, alerting on access outside normal operating hours). HMIs often have broader network connectivity than other OT devices because operators need to view data from multiple systems, making them both high-value and relatively reachable.

Key Facts

HMIs were targeted in the 2021 Oldsmar, Florida water treatment attack where an operator observed setpoint changes in real time
Most HMIs run general-purpose Windows operating systems with the same vulnerability surface as IT endpoints
Default credentials on HMI web interfaces remain common in operational environments
Internet-exposed HMIs are actively scanned by Shodan and other reconnaissance platforms

How ORDR Addresses HMI (Human Machine Interface)

ORDR discovers and classifies HMIs as a distinct device type, establishes behavioral baselines for their normal communication patterns, and monitors for deviations — unexpected connections, unusual protocol activity, access outside normal hours. ORDR integrates HMI risk scores with vulnerability data for the specific OS and HMI software running on each device.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Protect your operational technology.

ORDR discovers and monitors every OT asset in real time—even legacy PLCs and SCADA systems that cannot run agents.

REQUEST A DEMO OT Security Solutions