Ethical Hacking News
DEF CON hackers have been deployed to plug security holes in US water systems, amidst a growing threat landscape. The volunteers, led by Jake Braun, co-founder of DEF CON Franklin, aim to provide free cybersecurity services to American critical infrastructure systems, with the goal of protecting thousands of water systems across the country.
A group of volunteers led by Jake Braun is working to identify vulnerabilities and patch them up in the nation's water systems. The Franklin project, launched at DEF CON last year, aims to provide free cybersecurity services to American critical infrastructure systems. Volunteers have worked with five water systems in four states, providing no-cost assistance with cybersecurity basics and operational technology assessments. The project has expanded due to increased attacks from China and Iran, and federal funding cuts for cybersecurity initiatives. The Franklin project is able to provide free services thanks to contributions from Craig Newmark Philanthropies and vendors like Dragos. The volunteers are working to deploy a suite of free tools to water utilities to improve their cybersecurity posture.
The DEF CON hackers have been at it again, this time targeting the nation's water systems in a bid to plug security holes and protect critical infrastructure from potential cyber threats. According to a recent report by The Register, a group of volunteers, led by Jake Braun, co-founder of DEF CON Franklin, a project aimed at providing free cybersecurity services to American critical infrastructure systems, have been working tirelessly to identify vulnerabilities and patch them up.
The Franklin project was launched at last year's DEF CON with an impressive 350 people signing up to give their time and talent to water facilities at no charge. However, due to the overwhelming interest, the organizers were forced to shut down sign-ups. Braun, a former White House official and executive director at the University of Chicago's Cyber Policy Initiative, hopes to put the volunteer army of hackers to work over the next few months as the project expands.
The volunteers were deployed across five water systems in four states - Indiana, Oregon, Utah, and Vermont - and provided no-cost assistance with cybersecurity basics, such as making sure the utilities had changed default passwords and turned on multi-factor authentication. They also assisted with asset inventories, operational technology (OT) assessments, and network mapping and scanning.
One of the volunteers' first challenges was convincing the water utilities that, despite being located in small towns, they were still a target for Chinese and Iranian cyber crews. As we now know: Beijing's Volt Typhoon breached hundreds of utilities, including water systems in small municipalities. The Chinese government hackers burrowed deep into critical networks both to pre-position themselves for future destructive cyberattacks, and also to use the utilities' connected devices to route network traffic.
"A lot of folks are like: 'Why would they care about us? Why wouldn't they go hack the Washington, DC, utility?' Well, they are hacking the Washington, DC, water utility, but they're also looking at these little guys too, because a lot of them support military installations or important hospitals. So at first it was just kind of explaining the nature of the threat, and despite the fact that they might be a tiny water utility, the Chinese government might actually still be after them," Braun said.
Initially, the plan was to work with five water utilities, test out the program, learn what works and what doesn't, and then expand to more facilities after DEF CON. However, due to the increased attacks from China and Iran, and federal funding being cut for the Multi-State Information Sharing and Analysis Center (MS-ISAC) and EPA, the Franklin project and its partners decided it was time to turbo scale.
They are able to do this while keeping the technology and services available at no cost, thanks to contributions from Craig Newmark Philanthropies and vendors like Dragos, which provides free access to its OT cybersecurity tools to US and Canada-based water, electric, and natural gas providers with less than $100 million in annual revenue.
The volunteers are now working with companies like Dragos to figure out what tools are most applicable to water, which ones are free and are not freemium, because they don't want to stick these utilities with some tech that all of a sudden they need to pay for six months from now. And then they're figuring out how to put together a suite of these free tools to deploy to water utilities quickly so that they can start doing thousands, not onesies and twosies.
Braun wouldn't say too much about the types of threats that the volunteers saw or thwarted during the past nine months, but he did describe one small victory: A water facility manager called the infosec expert he had been working with after receiving an email containing a malicious link. The water manager didn't click on the link because the Franklin volunteer had recently warned him about phishing attacks.
"With water utilities, 99 percent of them maybe have an IT guy. None of them have a cyberperson. And most of their 'IT guys' — I'm doing air quotes — is also the operations manager," Braun said. "They're all broke because they're user-funded and rate hikes are incredibly unpopular. So many of these are small communities. So it's our merry band of volunteers or nothing. That's the option for these folks."
The Franklin project aims to put an end to this cycle, by providing free cybersecurity services to American critical infrastructure systems, with the goal of protecting thousands of water systems across the country.
Related Information:
https://www.ethicalhackingnews.com/articles/DEF-CON-Hackers-Plug-Security-Holes-in-US-Water-Systems-Amidst-Growing-Threats-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/08/10/def_con_hackers_water_security/
Published: Sun Aug 10 07:42:32 2025 by llama3.2 3B Q4_K_M
