#### [Security](/security/)Volunteer DEF CON hackers dive into America’s leaky water infrastructure========================================================================Six sites targeted for security clean-up, just 49,994 to go———————————————————–[Iain Thomson](/Author/Iain-Thomson ‘Read more by this author’) Sun 24 Nov 2024 // 15:27 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure) [](https://twitter.com/intent/tweet?text=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure&url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure&summary=Six%20sites%20targeted%20for%20security%20clean-up%2c%20just%2049%2c994%20to%20go) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) A plan for hackers to help secure America’s critical infrastructure has kicked off with six US water companies signing up to let coders kick the tires of their computer systems and fix any vulnerabilities.[Launched](https://www.theregister.com/2024/08/12/def_con_franklin_project_hopes_hackers/) at this year’s DEF CON, the Franklin project is a scheme to shore up key systems by using the skills of top hackers. As the conference’s founder, Jeff Moss, explained to *The Register* at the time, it’s an attempt not only to strengthen US resilience to online attacks, but also to chronicle what is being done in a yearly ‘Hacker’s Almanack’ so that others can learn essential skills.Now the scheme is kicking off in earnest with a partnership between the University of Chicago Harris School of Public Policy’s Cyber Policy Initiative (CPI) and the National Rural Water Association (NRWA). The organizations are deploying top coders to investigate the security of six water companies based in Utah, Vermont, Indiana, and Oregon, fix any issues, and then pass the knowledge on. ’DEF CON’s superpower is that we’re a bunch of hackers that want to help, figure out how things work, or love pointing out how things are broken and might be fixed. It turns out there are a lot of groups that want to hear that perspective, and would like advice and help,’ said Moss. ‘This is our first initiative to turn a single weekend of people together into doing good things year round.’  Program director Paul Chang told *The Register* that the situation was similar to when DEF CON started a move to sort out problems in voting machines, but a lot more complicated. With voting machines, two manufacturers have 70 percent of the market, but with water companies, there are around 50,000 individual suppliers in the US, and they all have different IT systems.Volunteers will work with techies, be matched to a water company, and spend time helping suppliers harden their systems against outside attacks. It’s needed — we’ve already seen China, Russia, and Iran having [a nose around](https://www.theregister.com/2024/05/09/china_russia_iran_infrastructure/) US critical infrastructure and water systems would make an excellent target in the event of a conflict.* [DEF CON Franklin project enlists hackers to harden critical infrastructure](https://www.theregister.com/2024/08/12/def_con_franklin_project_hopes_hackers/)* [Lights, camera, AI! Real-time deepfakes coming to DEF CON](https://www.theregister.com/2024/08/04/realtime_deepfakes_defcon/)* [Ransomware can mean life or death at hospitals. DEF CON hackers to the rescue?](https://www.theregister.com/2024/03/26/aixcc_healthcare/)* [DEF CON to set thousands of hackers loose on LLMs](https://www.theregister.com/2023/05/06/ai_hacking_defcon/)’We’re hopeful that we’ll have raised enough public perception around this and awareness of the issue, and most importantly, have the policymakers — at least some of them — on our side,’ Chang explained. ‘As much as many things are now completely disagreeable for both parties, I think one thing we might be able to get on the same page on is I would love for my drinking water to not be poisoned.’The volunteers have a broad range of skills, he said, ranging from students to experienced veterans with 30-plus years of experience. The one thing they share is enthusiasm, he said, but there’s a lot of work ahead. ’The water sector faces increasing cybersecurity-related risk,’ said NRWA CEO Matt Holmes.’Over 91 percent of the approximately 50,000 community water systems in the United States are small, serving fewer than 10,000 people. NRWA and our members are at the forefront of this challenge. This partnership brings cybersecurity experts to rural America to provide the tools our sector needs to assess, prepare, and respond to cyberattacks.’ ® [Sponsored: When AI assistants leak secrets, prevention beats cure](https://go.theregister.com/tl/3106/shttps://www.theregister.com/2024/11/15/when_ai_assistants_leak_secrets/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure) [](https://twitter.com/intent/tweet?text=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure&url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure&summary=Six%20sites%20targeted%20for%20security%20clean-up%2c%20just%2049%2c994%20to%20go) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [DEF CON](/Tag/DEF%20CON/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Security](/Tag/Security/) More like these × ### More about* [DEF CON](/Tag/DEF%20CON/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure) [](https://twitter.com/intent/tweet?text=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure&url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Volunteer%20DEF%20CON%20hackers%20dive%20into%20America%27s%20leaky%20water%20infrastructure&summary=Six%20sites%20targeted%20for%20security%20clean-up%2c%20just%2049%2c994%20to%20go) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2024/11/24/water_defcon_hacker/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) POST A COMMENT #### More about* [DEF CON](/Tag/DEF%20CON/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Security](/Tag/Security/) More like these × ### More about* [DEF CON](/Tag/DEF%20CON/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Will passkeys ever replace passwords? Can they?Systems Approach Here’s why they really shouldSecurity7 days -| 116](/2024/11/17/passkeys_passwords/?td=keepreading) [#### Microsoft Power Pages misconfigurations exposing sensitive dataNHS supplier that leaked employee info fell victim to fiddly access controls that can leave databases dangling onlineSecurity10 days -| 6](/2024/11/15/microsoft_power_pages_misconfigurations/?td=keepreading) [#### Trump taps border hawk to head DHS. Will Noem’s ‘enthusiasm’ extend to digital domain?Analysis Meanwhile, CISA chief Jen Easterly will step down prior to inaugurationPublic Sector1 day -| 20](/2024/11/23/trump_noem_homeland_security/?td=keepreading) [#### An easy route to AI-enhanced productivityHow the integration of Google Gemini across Google Workspace turbo charges existing apps with AI powerSponsored Feature](/2024/10/07/an_easy_route_to_aienhanced/?td=keepreading) [#### America’s drinking water systems have a hard-to-swallow cybersecurity problemMore than 100M rely on gear rife with vulnerabilities, says EPA OIGPublic Sector5 days -| 18](/2024/11/19/us_drinking_water_systems_cybersecurity/?td=keepreading) [#### DARPA-backed voting system for soldiers abroad savagedVotingWorks, developer of the system, disputes critics’ claimsSecurity3 days -| 4](/2024/11/21/darpabacked_voting_system_for_soldiers/?td=keepreading) [#### Here’s how a Trump presidency could change the tech industryKettle Anything could happen in the next half … decadePublic Sector11 days -| 123](/2024/11/13/president_trump_tech/?td=keepreading) [#### Here’s what happens if you don’t layer network security — or remove unused web shellsTL;DR: Attackers will break in and pwn you, as a US government red team demonstratedSecurity3 days -| 3](/2024/11/22/cisa_red_team_exercise/?td=keepreading) [#### Google’s AI bug hunters sniff out two dozen-plus code gremlins that humans missedOSS-Fuzz is making a strong argument for LLMs in security researchAI + ML4 days -| 9](/2024/11/20/google_ossfuzz/?td=keepreading) [#### Healthcare org Equinox notifies 21K patients and staff of data theftRansomware scum LockBit claims it did the dirty deedCyber-crime5 days -| 1](/2024/11/20/equinox_patients_employees_data/?td=keepreading) [#### iOS 18 added secret and smart security feature that reboots iThings after three daysSecurity researcher’s reverse engineering effort reveals undocumented reboot timer that will make life harder for attackersSecurity5 days -| 38](/2024/11/19/ios_18_secret_reboot/?td=keepreading) [#### Five Eyes infosec agencies list 2023’s most exploited software flawsSlack patching remains a problem — which is worrying as crooks increasingly target zero-day vulnsCSO10 days -| 28](/2024/11/14/five_eyes_2023_top_vulnerabilities/?td=keepreading)
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 49 – Couriers And Warehousing
NAICS: 561 – Administrative And Support Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 493 – Warehousing And Storage
Sodinokibi
REvil
Sodin
WanaCrypt0r
Associated Indicators: