Water utilities are some of the most vulnerable U.S. critical infrastructure organizations, but some of them could get a cybersecurity boost from an army of volunteer white-hat hackers.
Several cyber experts have already been assisting small water treatment facilities with security improvements as part of a public-service project called DEF CON Franklin, which launched at the DEF CON cybersecurity conference in Las Vegas in 2024. But at this year’s DEF CON conference, the project’s organizers announced plans to scale up that initiative in partnership with the National Rural Water Association (NRWA) and help secure thousands of water systems across the U.S.
“We’ve seen both the urgency of the threat and the potential of a community-driven solution,” Jake Braun, the co-founder of DEF CON Franklin, said in a statement.
There are more than 55,000 community water systems nationwide, supplying big cities, small towns and rural communities. Water is considered a lifeline sector, and some utilities are considered national security resources because they supply U.S. military bases. But many small water systems operate with meager budgets, outdated technology and no dedicated cybersecurity personnel, making them tempting targets for hackers intent on causing chaos.
In late 2023, Iranian hackers breached several water utilities while targeting organizations using Israeli-made programmable logic controllers. In the fall of 2024, American Water, the country’s largest water utility, experienced a cyberattack that forced it to shut down some systems. Fears about hackers manipulating industrial control systems to poisoning water supplies have been so acute that a report of one such attempt in a Florida city in 2021 sparked a frenzied news cycle, even though the incident appears to have been overblown.
NRWA is hoping to counter escalating threats to the water sector through its expanded partnership with DEF CON Franklin. Volunteer hackers have spent the past nine months helping secure utilities in Indiana, Oregon, Utah and Vermont, and now NRWA is designing a pilot program that will test a more sophisticated and far-reaching system for delivering cyber aid.
The program will function like a managed security service provider (MSSP), but instead of delivering one company’s defensive services to participating utilities, it will provide a platform for multiple tech and security companies to offer their help.
“This was the next step of, What else can we do to help shore up our small systems?” John DeGour, a regulatory affairs specialist at NRWA, told Cybersecurity Dive during a recent interview at DEF CON. “Franklin has these great volunteer cybersecurity professionals, and we have this great relationship with water utilities.”
Freebie services
NRWA and Franklin are currently designing the program and talking with companies about what services they could offer for free or at a reduced cost. Franklin’s volunteer cybersecurity experts have shared advice about “what a [tech] stack might look like,” DeGour said, and NRWA has been combining those ideas with its insights about small utilities’ security needs.
One interested company, the industrial cybersecurity firm Dragos, is talking to organizers about which of its free tools “would have the most impact” for water systems, Braun told Cybersecurity Dive. “We’re looking for other partners who can bring similarly high-value, free, NOT freemium, resources into the program.”
NRWA would administer the MSSP program, relying on its existing relationships with utilities, but Franklin experts would deploy across the country to help utilities adopt participating companies’ services. Braun said the goal is for each utility to have a dedicated cyber adviser from Franklin, which has approximately 350 registered volunteers.
Depending on which companies participate, the available services could include vulnerability scanning, penetration testing, identity management, asset inventorying, patch management, intrusion detection, threat intelligence and incident response. Participating security vendors may also provide tools such as firewalls or virtual private networks. Even basic support like setting up strong authentication could make a big difference: The water utilities that Iran hacked, for example, were using passwords set to “1111.”
If a water utility experiences a cyber intrusion, Franklin hackers could help operators contain the damage and restore operations, DeGour said.
Recruiting members
NRWA has begun reaching out to its members to gauge their interest in participating in a pilot test of the MSSP program. DeGour said the outreach has “been received positively” and NRWA is “beginning to identify some utilities that we could pilot with.”
The organization hopes to enlist between five and 10 utilities for the pilot program, which will help it understand how to design a permanent program that can serve tens of thousands of utilities nationwide. If the pilot is successful, DeGour said, NRWA hopes to “secure some funding,” potentially from the federal government, to “expand it to a larger model.”
Water-cyber connection
As the Franklin initiative scales up, its organizers will need to build trust between critical infrastructure operators, who are often wary of letting outsiders tinker with their mission-critical systems, and volunteer security enthusiasts, who may not understand the environment they are entering. “These communities don’t know these cybersecurity experts, [and] cybersecurity experts, a lot of times, don’t speak rural water,” DeGour said. Because utilities trust NRWA and its state affiliates, he said, “we’re able to make that connection.”
Franklin volunteers’ participation in NRWA’s Cybersecurity Circuit Rider Program laid the groundwork for those trust relationships. Hackers have partnered with five utilities so far, and DeGour said NRWA has received “really good feedback.”
At DEF CON, DeGour and Charles Stephens, NRWA’s senior executive policy director, met with representatives from several of the conference’s specialist communities, including the groups focused on industrial control systems and government policy. Their input “is really helping shape our concept,” DeGour said.
NRWA hopes to vet enough hackers, recruit enough utilities and enlist enough companies to launch the MSSP pilot by the end of the year.
“Things have been moving rapidly in the right direction,” DeGour said.
