Flushable wipes and Iran: Water treatment facility adds cyber attacks to worry list

Flushable wipes and Iran: Water treatment facility adds cyber attacks to worry list

In a small town in southern Vermont, not far from the lauded ski slopes of Okemo, there's water gushing out of the back of a treatment facility. For Chris Hughes, the assistant water and wastewater operator for the towns of Cavendish and Proctorsville, it's just another problem and another day on the job. This time, he's pretty sure a lightning strike disrupted the water treatment process.

Other times, it's a build-up of iron in the system, a missing manhole cover, or an influx of "flushable" wipes, which he says routinely gum up the system. "I haven't had a lot of jobs, but it is by far the most interesting job that I've ever had," he told NPR during a tour of the facilities. "And so you have to … you have to like it. You have to kind of care."

Hughes is a master at fixing whatever's broken. But now, he's facing a new threat: hackers burrowing into the system and wreaking havoc. It's not a fantasy or some far-off possibility; it's already happening all over the United States.

Iranian hackers infiltrated computer systems at a water treatment plant in Aliquippa, Pa., to display anti-Israel messages in November of 2023. In December 2023, the Municipal Water Authority of Aliquippa, Pa., was one of multiple organizations breached in the United States by Iran-affiliated hackers who targeted a specific industrial control device because it is Israeli-made.

Gene J Puskar/AP hide caption

A water system overflowed in rural Muleshoe, Texas, in January of 2024, an attack that's been linked to Russian hacktivists. And across the country in recent years, U.S. officials say, Chinese hackers have burrowed deep inside American critical infrastructure, including its water systems, in order to prepare for a potential future conflict with the United States.

Those are just a few examples of what the U.S. Environmental Protection Agency has labeled a growing problem, concluding that "cyberattacks against [community water systems]" are "increasing in frequency and severity across the country."

Now, as the threat grows, Hughes and the towns he represents are participating in a pilot program pairing the people who operate these critical infrastructure with experts who can help them think differently about potential threats. Two independent experts have recently assembled to help him with digital threats: Tim Pappa, a former FBI agent and volunteer for Project Franklin, and Forest Anderson, another Vermont water operator.

Tim Pappa is former FBI agent and volunteer for Project Franklin. He has been advising Hughes on the basics of digital hygiene and cybercrime. Claire Harbage/NPR hide caption

"Right now is hunting season. We are the six point buck in the field and right now our threat profile is all there," explained Anderson. "We're just hanging out in the field right now. We need to get in the woods. It's a lot harder to hit a target in the woods."

The experts are working with Hughes to implement basic solutions to protect his systems, from covering up the WiFi password on the router and setting up a password storage management system to installing tools that will help monitor the network and saving backups of vital data in the event of a disaster.

It's not just Vermont or even the United States that faces a serious threat from hackers targeting critical infrastructure. More and more, these kinds of attacks are taking place around the world, increasing the urgency required to secure these systems as adversaries continue to better learn how they work and how to better take advantage of them.

Rob Lee of Dragos cites the war in Ukraine as a big driver for choosing to donate the company's tools to infrastructure operators. Russian hackers have routinely targeted Ukraine's electric grid, while Norwegian police recently accused Russian hackers of sabotaging a dam and causing it to overflow.

"We've been up and running for years," explained Lee. "We just need more people to know about it."