Sunday, August 10, 2025
Latest:

Threatshub.org sponsored-Post

The Register

DEF CON hackers plug security holes in US water systems amid tsunami of threats

TH Author

def con A DEF CON hacker walks into a small-town water facility…no, this is not the setup for a joke or a (super-geeky) odd-couple rom-com. It’s a true story that happened at five utilities across four states.

And now, nine months into providing free cybersecurity services to a handful of American critical infrastructure systems, the project’s organizers plan to grow the initiative massively before the end of the year to protect thousands of water systems across the country.

The Franklin project, named for Benjamin Franklin, who founded America’s first volunteer fire department, launched at last year’s DEF CON with 350 people signing up to give their time and talent to water facilities at no charge.

“We had to shut down sign-ups because we had so much interest,” Jake Braun, co-founder of DEF CON Franklin, told The Register. “I literally didn’t have enough people to manage the incoming intake of volunteers.”

Braun, a former White House official and executive director at the University of Chicago’s Cyber Policy Initiative, hopes to put the volunteer army of hackers to work over the next few months as the project expands. 

The volunteers were deployed across five water systems in four states — Indiana, Oregon, Utah, and Vermont — and provided no-cost assistance with cybersecurity basics, such as making sure the utilities had changed default passwords and turned on multi-factor authentication. They also assisted with asset inventories, operational technology (OT) assessments, and network mapping and scanning.

They’re also looking at these little guys too, because a lot of them support military installations or important hospitals.

One of the volunteers’ first challenges was convincing the water utilities that, despite being located in small towns, they were still a target for Chinese and Iranian cyber crews. 

As we now know: Beijing’s Volt Typhoon breached hundreds of utilities, including water systems in small municipalities. The Chinese government hackers burrowed deep into critical networks both to pre-position themselves for future destructive cyberattacks, and also to use the utilities’ connected devices to route network traffic.

“A lot of folks are like: ‘Why would they care about us? Why wouldn’t they go hack the Washington, DC, utility?’ Well, they are hacking the Washington, DC, water utility, but they’re also looking at these little guys too, because a lot of them support military installations or important hospitals. So at first it was just kind of explaining the nature of the threat, and despite the fact that they might be a tiny water utility, the Chinese government might actually still be after them,” Braun said.

Water (in)security

Initially, the plan was to work with five water utilities, test out the program, learn what works and what doesn’t, and then expand to more facilities after DEF CON. 

“We were hoping hundreds,” Braun said. “But then with the increased attacks from China and Iran, and federal funding being cut for the Multi-State Information Sharing and Analysis Center (MS-ISAC) and EPA, we don’t have time to just naturally evolve into something bigger because there’s 50,000 water utilities in the country.”

So the Franklin project and its partners (DEF CON, the National Rural Water Association, Cyber Resilience Corps, Aspen Digital, the American Water Works Association, Cyber Solarium 2.0, Red Queen Security, and UnDisruptable27) decided it was time to turbo scale.

They are able to do this while keeping the technology and services available at no cost, thanks to contributions from Craig Newmark Philanthropies and vendors like Dragos, which provides free access to its OT cybersecurity tools to US and Canada-based water, electric, and natural gas providers with less than $100 million in annual revenue.

“Our volunteers are now working with companies like Dragos to figure out what tools are most applicable to water, which ones are free and are not freemium, because we don’t want to stick these utilities with some tech that all of a sudden they need to pay for six months from now,” Braun said. “And then we’re figuring out how we can put together a suite of these free tools to deploy to water utilities quickly so that we can start doing thousands, not onesies and twosies.”

Braun wouldn’t say too much about the types of threats that the volunteers saw or thwarted during the past nine months, but he did describe one small victory: A water facility manager called the infosec expert he had been working with after receiving an email containing a malicious link. The water manager didn’t click on the link because the Franklin volunteer had recently warned him about phishing attacks.

“With water utilities, 99 percent of them maybe have an IT guy. None of them have a cyberperson. And most of their ‘IT guys’ — I’m doing air quotes — is also the operations manager,” Braun said. “They’re all broke because they’re user-funded and rate hikes are incredibly unpopular. So many of these are small communities. So it’s our merry band of volunteers or nothing. That’s the option for these folks.” ®

READ MORE HERE