First Water Utilities Take Volunteer Cyber Help

CHICAGO, IL (November 20, 2024) – The University of Chicago Harris School of Public Policy’s Cyber Policy Initiative (CPI) announces the first group of participating water utilities in its cyber volunteer project, alongside DEF CON (the world’s largest summit of technologists and hackers) and the National Rural Water Association (NRWA). After the project was announced at DEF CON 32 this August, NRWA identified an initial cohort of six water utilities from across four states (Utah, Vermont, Indiana and Oregon) to receive cyber assistance. This project, called DEF CON Franklin, will pair volunteer cyber security experts with water utilities, and will also distill lessons learned that can be applied broadly across the nation.

Jake Braun, CPI Executive Director and former White House acting Principal National Cyber Director said of the pilot programs, “At the White House, we spent an enormous amount of time trying to devise ways to better secure our water systems in light of China's Volt Typhoon attacks.  However, most of our time was spent on the water utilities supporting military installations.  There are another 49,000 water utilities that do not support military bases and still need to improve their cyber security because they either don’t have the staff, or the resources, to protect themselves.”

In recent years, cyber attacks on U.S. infrastructure have become more common, with water utilities being particularly vulnerable targets. Last month, American Water, which is the U.S.’s largest water utility company, reported a cyber attack that could affect up to fourteen million people.

“The water sector faces increasing cybersecurity-related risk,” said NRWA Chief Executive Officer Matt Holmes. “Over 91% of the approximately 50,000 community water systems in the United States are small, serving fewer than 10,000 people. NRWA and our members are at the forefront of this challenge. This partnership brings cybersecurity experts to rural America to provide the tools our sector needs to assess, prepare, and respond to cyberattacks.” 

DEF CON Franklin is currently matching volunteers with water utilities based on their respective levels of cybersecurity skill and availability. Before volunteers are deployed, technologists will guide volunteers through a tiered approach that will offer tailor-made solutions according to the unique cybersecurity needs of each utility. As one of the inaugural cyber-focused projects to serve nationwide water utilities, Franklin will explore the novel possibility of deploying volunteers as a free, scalable solution to help secure water systems nationwide.

“DEF CON’s superpower is that we’re a bunch of hackers that want to help, figure out how things work, or love pointing out how things are broken and might be fixed. It turns out, there are a lot of groups that want to hear that perspective - and would like advice and help,” said Jeff Moss, founder of DEF CON. “This is our first initiative to turn a single weekend of people together into doing good things year round.”

Earlier this year, the EPA warned nationwide water utilities of the increasing risk, and frequency, of cyberattacks on water systems. According to the agency, over 70% of water systems inspected by officials were not in compliance with common cybersecurity standards. U.S. officials have specifically targeted a Chinese-linked cyber threat known as Volt Typhoon, which continues to compromise information technology across the American critical infrastructure network. Experts believe that Volt Typhoon is an adversarial strategy to pre-position on U.S. and allied IT infrastructure, in anticipation of launching cyberattacks in the event of conflict over Taiwan or another critical geopolitical issue.

In November 2023, Iranian-backed hackers gained access to one of the booster stations of Aliquippa, PA. The hackers took control of the critical node - which controls a group of booster pumps - before municipal officials were alerted by alarm.

This April, three rural towns in Texas were attacked by a Russian hacktivist group. Over the course of four days, the town of Hale Center experienced 37,000 attacks on their firewall. In nearby Muleshoe, hackers caused the water system to overflow before officials managed to stem the flow manually.

###

The Cyber Policy Initiative (CPI) is a forum through which government officials, academics, and cybersecurity professionals can engage and strengthen cyber posture against malicious actors and attacks. Through partnerships with DEF CON and domestic and foreign governments, CPI targets several objectives, including publishing a yearly "Hackers' Almanack" to promote cutting-edge cybersecurity policy interventions; establishing a cyber volunteer task force to help secure critical infrastructure, starting with U.S. water utilities and school districts; and helping state and local governments develop cybersecurity strategies, implement recommendations, and craft workforce development plans.

The National Rural Water Association (NRWA) is a non-profit organization dedicated to training, supporting, and promoting the water and wastewater professionals that serve small and rural communities across the country. NRWA provides nationwide training and technical assistance through its affiliated State Rural Water Associations that currently have over 31,000 utility system members across all 50 states and Puerto Rico. Rural Water training and technical assistance covers every aspect of operating, managing, and financing water and wastewater utilities.

DEF CON is one of the oldest continuously running hacker conventions around, and also one of the largest.