DEF CON hackers plug security holes in US water systems amid tsunami of threats

#### [Security](/security/)**8** DEF CON hackers plug security holes in US water systems amid tsunami of threats===============================================================================**8** Five pilot deployments are just a drop in the bucket, so it’s time to turbo scale———————————————————————————[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Sun 10 Aug 2025 // 11:59 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats) [](https://twitter.com/intent/tweet?text=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats&url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats&summary=Five%20pilot%20deployments%20are%20just%20a%20drop%20in%20the%20bucket%2c%20so%20it%27s%20time%20to%20turbo%20scale) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) def con A DEF CON hacker walks into a small-town water facility…no, this is not the setup for a joke or a (super-geeky) odd-couple rom-com. It’s a true story that happened at five utilities across four states.And now, nine months into [providing free cybersecurity services](https://www.theregister.com/2024/11/24/water_defcon_hacker/) to a handful of American critical infrastructure systems, the project’s organizers plan to grow the initiative massively before the end of the year to protect thousands of water systems across the country.The Franklin project, named for Benjamin Franklin, who founded America’s first volunteer fire department, [launched at last year’s DEF CON](https://www.theregister.com/2024/08/12/def_con_franklin_project_hopes_hackers/) with 350 people signing up to give their time and talent to water facilities at no charge. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJjsbUHtDSr-rqoNhoWCyAAAAU8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)’We had to shut down sign-ups because we had so much interest,’ Jake Braun, co-founder of DEF CON Franklin, told *The Register*. ‘I literally didn’t have enough people to manage the incoming intake of volunteers.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJjsbUHtDSr-rqoNhoWCyAAAAU8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)Braun, a former White House official and executive director at the University of Chicago’s Cyber Policy Initiative, hopes to put the volunteer army of hackers to work over the next few months as the project expands.The volunteers were deployed across five water systems in four states — Indiana, Oregon, Utah, and Vermont — and provided no-cost assistance with cybersecurity basics, such as making sure the utilities had changed default passwords and turned on multi-factor authentication. They also assisted with asset inventories, operational technology (OT) assessments, and network mapping and scanning.> They’re also looking at these little guys too, because a lot of them support military installations or important hospitals.One of the volunteers’ first challenges was convincing the water utilities that, despite being located in small towns, they were still a target for Chinese and Iranian cyber crews.As we now know: Beijing’s Volt Typhoon [breached hundreds of utilities](https://www.theregister.com/2025/03/12/volt_tyhoon_experience_interview_with_gm/), including water systems in small municipalities. The Chinese government hackers burrowed deep into critical networks both to pre-position themselves for [future destructive cyberattacks](https://www.theregister.com/2024/02/07/us_chinas_volt_typhoon_attacks/), and also to use the utilities’ connected devices to [route network traffic](https://www.theregister.com/2025/06/23/lapdog_orb_network_attack_campaign/). ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJjsbUHtDSr-rqoNhoWCyAAAAU8&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)’A lot of folks are like: ‘Why would they care about us? Why wouldn’t they go hack the Washington, DC, utility?’ Well, they are hacking the Washington, DC, water utility, but they’re also looking at these little guys too, because a lot of them support military installations or important hospitals. So at first it was just kind of explaining the nature of the threat, and despite the fact that they might be a tiny water utility, the Chinese government might actually still be after them,’ Braun said.### Water (in)securityInitially, the plan was to work with five water utilities, test out the program, learn what works and what doesn’t, and then expand to more facilities after DEF CON.’We were hoping hundreds,’ Braun said. ‘But then with the increased attacks from [China](https://www.theregister.com/2024/12/31/china_cyber_intrusions_2024/) and [Iran](https://www.theregister.com/2025/06/23/iran_cyberattacks_against_us/), and [federal funding being cut](https://www.theregister.com/2025/04/22/top_cisa_officials_jump_ship/) for the Multi-State Information Sharing and Analysis Center ([MS-ISAC](https://www.cisecurity.org/ms-isac)) and EPA, we don’t have time to just naturally evolve into something bigger because there’s 50,000 water utilities in the country.’So the Franklin project and its partners (DEF CON, the National Rural Water Association, Cyber Resilience Corps, Aspen Digital, the American Water Works Association, Cyber Solarium 2.0, Red Queen Security, and UnDisruptable27) decided it was time to turbo scale.They are able to do this while keeping the technology and services available at no cost, thanks to contributions from Craig Newmark Philanthropies and vendors like Dragos, which provides [free access](https://www.dragos.com/community/community-defense-program/) to its OT cybersecurity tools to US and Canada-based water, electric, and natural gas providers with less than $100 million in annual revenue.* [Volunteer DEF CON hackers dive into America’s leaky water infrastructure](https://www.theregister.com/2024/11/24/water_defcon_hacker/)* [DEF CON Franklin project enlists hackers to harden critical infrastructure](https://www.theregister.com/2024/08/12/def_con_franklin_project_hopes_hackers/)* [US warns Iranian terrorist crew broke into ‘multiple’ US water facilities](https://www.theregister.com/2023/12/04/iran_terrorist_us_water_attacks/)* [Funding for program to stop next Stuxnet from hitting US expired Sunday](https://www.theregister.com/2025/07/22/lapsed_cisa_funding_cybersentry/)’Our volunteers are now working with companies like Dragos to figure out what tools are most applicable to water, which ones are free and are not freemium, because we don’t want to stick these utilities with some tech that all of a sudden they need to pay for six months from now,’ Braun said. ‘And then we’re figuring out how we can put together a suite of these free tools to deploy to water utilities quickly so that we can start doing thousands, not onesies and twosies.’Braun wouldn’t say too much about the types of threats that the volunteers saw or thwarted during the past nine months, but he did describe one small victory: A water facility manager called the infosec expert he had been working with after receiving an email containing a malicious link. The water manager didn’t click on the link because the Franklin volunteer had recently warned him about phishing attacks.’With water utilities, 99 percent of them maybe have an IT guy. None of them have a cyberperson. And most of their ‘IT guys’ — I’m doing air quotes — is also the operations manager,’ Braun said. ‘They’re all broke because they’re user-funded and rate hikes are incredibly unpopular. So many of these are small communities. So it’s our merry band of volunteers or nothing. That’s the option for these folks.’ ® [Sponsored: Riding the AI current: why leaders are letting it flow](https://go.theregister.com/tl/3222/shttps://www.theregister.com/2025/08/06/riding_ai_current_why/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats) [](https://twitter.com/intent/tweet?text=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats&url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats&summary=Five%20pilot%20deployments%20are%20just%20a%20drop%20in%20the%20bucket%2c%20so%20it%27s%20time%20to%20turbo%20scale) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [DEF CON](/Tag/DEF%20CON/)* [Security](/Tag/Security/) More like these × ### More about* [DEF CON](/Tag/DEF%20CON/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats) [](https://twitter.com/intent/tweet?text=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats&url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=DEF%20CON%20hackers%20plug%20security%20holes%20in%20US%20water%20systems%20amid%20tsunami%20of%20threats&summary=Five%20pilot%20deployments%20are%20just%20a%20drop%20in%20the%20bucket%2c%20so%20it%27s%20time%20to%20turbo%20scale) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/08/10/def_con_hackers_water_security/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **8** COMMENTS #### More about* [DEF CON](/Tag/DEF%20CON/)* [Security](/Tag/Security/) More like these × ### More about* [DEF CON](/Tag/DEF%20CON/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Hacker summer camp: What to expect from BSides, Black Hat, and DEF CONThese are the conference events to keep an eye on. You can even stream a fewSecurity5 days -| 9](/2025/08/05/bsides_blackhat_defcon_preview/?td=keepreading) [#### Ex-White House cyber, counter-terrorism guru: Microsoft considers security an annoyance, not a necessityComment Tells *The Reg* China’s ability to p0wn Redmond’s wares ‘gives me a political aneurysm’CSO2 days -| 26](/2025/08/08/exwhite_house_cyber_and_counterterrorism/?td=keepreading) [#### Top spy says LinkedIn profiles that list defense work ‘recklessly invite attention of foreign intelligence services’Workers on joint US/UK/Australia nuclear submarine program are painting a target on themselvesCyber-crime10 days -| 45](/2025/08/01/asio_espionage_social_media_warning/?td=keepreading) [#### AI and virtualization are two major headaches for CIOs. Can storage help solve them both?It’s about evolution not revolution, says LenovoSponsored feature](/2025/05/22/lenovo_ai_virtualization_headaches/?td=keepreading) [#### Microsoft researchers bullish on AI security agent even though it let 74% of malware slip throughUPDATED Project Ire promises to use LLMs to detect whether code is malicious or benignAI + ML4 days -| 7](/2025/08/06/microsofts_ai_agent_malware_detecting/?td=keepreading) [#### Patch now: Millions of Dell PCs with Broadcom chips vulnerable to attackblack hat Psst, wanna steal someone’s biometrics?Patches5 days -| 20](/2025/08/05/millions_of_dell_pc_with/?td=keepreading) [#### Microsoft, CISA warn yet another Exchange server bug can lead to ‘total domain compromise’No reported in-the-wild exploits…yetPatches3 days -| 4](/2025/08/07/microsoft_cisa_warn_yet_another/?td=keepreading) [#### The inside story of the Telemessage saga, and how you can view the dataDEF CON It turns out no one was clean on OPSECSecurity19 hrs -| 12](/2025/08/10/telemessage_archive_online/?td=keepreading) [#### SonicWall investigates ‘cyber incidents,’ including ransomware targeting suspected 0-dayBypassing MFA and deploying ransomware…sounds like something that rhymes with ‘schmero-day’Cyber-crime6 days -| 1](/2025/08/04/sonicwall_investigates_cyber_incidents/?td=keepreading) [#### CISA caves to Wyden, agrees to release US telco insecurity report – but won’t say whenThe security nerds’ equivalent of the Epstein files sagaSecurity12 days -| 3](/2025/07/29/cisa_wyden_us_telecoms_insecurity_report/?td=keepreading) [#### Palo Alto Networks inks $25b deal to buy identity-security shop CyberArkThe lure? Identity security and privileged access management tools to verify humans and… machinesSecurity11 days -| 2](/2025/07/30/palo_alto_networks_inks_25b/?td=keepreading) [#### China says US spies exploited Microsoft Exchange zero-day to steal military infoSpy vs. spyCSO9 days -| 10](/2025/08/01/china_us_intel_attacks/?td=keepreading)

Related Tags:
DEV-0391

UNC3236

Voltzite

Vanguard Panda

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 221 – Utilities

NAICS: 92 – Public Administration

NAICS: 22 – Utilities

Associated Indicators:

Threat Intel Solutions

DEF CON hackers plug security holes in US water systems amid tsunami of threats

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us