The Volunteer Hackers Securing America’s Water Supply – And Why It’s Not Enough
Over 300,000 Americans rely on a water system that has been breached by Chinese hackers. This isn’t a hypothetical threat; it’s the reality exposed by Beijing’s Volt Typhoon operation, and it’s why a band of volunteer hackers, initially convened at the DEF CON security conference, are now racing against time to shore up the defenses of thousands of vulnerable water utilities across the country.
From DEF CON to Critical Infrastructure Defense
The Franklin Project, named in homage to Benjamin Franklin’s founding of America’s first volunteer fire department, began as a grassroots effort last year. What started with 350 volunteers offering pro bono cybersecurity services quickly overwhelmed organizers. “We had to shut down sign-ups because we had so much interest,” explains Jake Braun, co-founder of DEF CON Franklin and former White House official. “I literally didn’t have enough people to manage the incoming intake of volunteers.” The initial focus was on providing basic cybersecurity hygiene – changing default passwords, enabling multi-factor authentication, and conducting initial network assessments – to five water systems in Indiana, Oregon, Utah, and Vermont.
The Growing Threat to “Little Guys”
The urgency has escalated dramatically. Braun emphasizes that the threat isn’t limited to large metropolitan water systems. “A lot of folks are like: ‘Why would they care about us? Why wouldn’t they go hack the Washington, DC, utility?’ Well, they are hacking the Washington, DC, water utility, but they’re also looking at these little guys too, because a lot of them support military installations or important hospitals.” This targeting of smaller, often overlooked utilities is a key tactic, allowing attackers to establish footholds for larger operations or disrupt critical services indirectly. The recent attacks by Volt Typhoon, detailed in numerous reports, underscore this point – small town water systems are not immune.
Scaling the Response: A Collaborative Effort
Recognizing the scale of the problem – there are over 50,000 water utilities in the US – and the dwindling federal resources (funding cuts to the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the EPA have exacerbated the situation), the Franklin Project is undergoing a “turbo scale.” A broad coalition of organizations, including the National Rural Water Association, Cyber Resilience Corps, and Dragos, are contributing to the effort. Dragos, a leading OT cybersecurity firm, is providing free access to its tools for smaller providers, ensuring that cost isn’t a barrier to entry. The focus is on deploying a suite of free, readily available tools to rapidly improve the security posture of these vulnerable systems.
The Challenge of OT Security
Securing operational technology (OT) presents unique challenges. Unlike traditional IT systems, OT controls physical processes, and disruptions can have immediate and severe consequences. Many water utilities lack dedicated cybersecurity personnel, with IT responsibilities often falling to operations managers already stretched thin. As Braun points out, “With water utilities, 99 percent of them maybe have an IT guy. None of them have a cyberperson.” This skills gap is a critical vulnerability that the Franklin Project aims to address.
Beyond Basics: Proactive Threat Hunting and Incident Response
While initial efforts focused on foundational security measures, the project is evolving to include more proactive threat hunting and incident response capabilities. A recent success story involved a water facility manager recognizing a phishing attempt – a direct result of training provided by a Franklin Project volunteer. This highlights the power of even basic cybersecurity awareness training in mitigating risk. However, the volunteers are also working to identify and address more sophisticated threats, though details remain confidential to avoid compromising ongoing investigations.
The Future of Water Cybersecurity: Automation and AI
The current volunteer-driven model, while impactful, isn’t sustainable in the long term. The future of water cybersecurity will likely involve increased automation and the integration of artificial intelligence (AI). AI-powered threat detection systems can analyze network traffic and identify anomalies that might indicate a cyberattack. Automated vulnerability scanning and patching can help utilities proactively address security weaknesses. However, these technologies require significant investment and expertise, creating a potential divide between well-resourced and under-resourced utilities. The challenge will be to democratize access to these advanced tools and ensure that all water systems, regardless of size or budget, can benefit from them. Dragos is already leading the way in OT threat intelligence, providing valuable insights into the evolving threat landscape.
The story of the DEF CON hackers stepping up to protect America’s water supply is a testament to the power of collaboration and the dedication of cybersecurity professionals. But it’s also a stark warning: the threat is real, it’s growing, and a sustainable, long-term solution is urgently needed. What steps will policymakers and industry leaders take to ensure the security of this vital resource? Share your thoughts in the comments below!
