DEF CON Hackers Plug Security Holes in US Water Systems Amid Tsunami of Threats

The DEF CON hacker community has launched a massive initiative to secure critical water infrastructure across the United States, following a series of high-profile attacks on small-town water facilities. The project, dubbed "Franklin," aims to provide free cybersecurity services to thousands of water systems nationwide, a far cry from its humble beginnings with just five pilot deployments.

Last year's DEF CON saw 350 volunteers sign up to give their time and talent to help water facilities improve their security, but organizers had to shut down sign-ups due to overwhelming interest. Jake Braun, co-founder of the Franklin project, told The Register that he was surprised by the level of enthusiasm from potential volunteers.

"We had to shut down sign-ups because we had so much interest," Braun said. "I literally didn't have enough people to manage the incoming intake of volunteers." With a team of dedicated hackers, Braun hopes to put his volunteer army to work over the next few months as the project expands.

The initial pilot deployments took place across five water systems in four states – Indiana, Oregon, Utah, and Vermont. The volunteers provided no-cost assistance with cybersecurity basics, such as making sure utilities had changed default passwords and turned on multi-factor authentication. They also assisted with asset inventories, operational technology (OT) assessments, and network mapping and scanning.

One of the volunteers' first challenges was convincing small-town water utility managers that their facilities were still a target for Chinese and Iranian cyber crews. As it turns out, Beijing's Volt Typhoon breached hundreds of utilities, including water systems in small municipalities. The Chinese government hackers burrowed deep into critical networks to pre-position themselves for future destructive cyberattacks, as well as to use the utilities' connected devices to route network traffic.

"A lot of folks are like: 'Why would they care about us? Why wouldn't they go hack the Washington, DC, utility?' Well, they are hacking the Washington, DC, water utility, but they're also looking at these little guys too, because a lot of them support military installations or important hospitals," Braun explained. "So at first it was just kind of explaining the nature of the threat, and despite the fact that they might be a tiny water utility, the Chinese government might actually still be after them."

Initially, the plan was to work with five water utilities, test out the program, learn what works and what doesn't, and then expand to more facilities after DEF CON. However, with increased attacks from China and Iran, and federal funding being cut for the Multi-State Information Sharing and Analysis Center (MS-ISAC) and EPA, the Franklin project decided it was time to turbo scale.

"We were hoping hundreds," Braun said. "But then with the increased attacks from China and Iran, and federal funding being cut for the MS-ISAC and EPA, we don't have time to just naturally evolve into something bigger because there's 50,000 water utilities in the country." By scaling up the project, the Franklin team aims to protect thousands of water systems across the country.

Thanks to contributions from Craig Newmark Philanthropies and vendors like Dragos, which provides free access to its OT cybersecurity tools to US and Canada-based water, electric, and natural gas providers with less than $100 million in annual revenue, the Franklin project can continue to provide its services at no cost.

"Our volunteers are now working with companies like Dragos to figure out what tools are most applicable to water, which ones are free and are not freemium, because we don't want to stick these utilities with some tech that all of a sudden they need to pay for six months from now," Braun said. "And then we're figuring out how we can put together a suite of these free tools to deploy to water utilities quickly so that we can start doing thousands, not onesies and twosies."

Braun also emphasized the importance of having dedicated cybersecurity experts at each water facility, rather than relying on IT staff who may not have the necessary expertise. "With water utilities, 99 percent of them maybe have an IT guy," he said. "None of them have a cyberperson. And most of their 'IT guys' – I'm doing air quotes – is also the operations manager." These small communities often lack the resources to invest in cybersecurity, making the Franklin project's services invaluable.

"So many of these are small communities," Braun said. "So it's our merry band of volunteers or nothing. That's the option for these folks."