Hackers connected to DEF CON expose and fix vulnerabilities in American water facilities, as they confront a deluge of cyber threats against critical infrastructure.

Hackers connected to DEF CON expose and fix vulnerabilities in American water facilities, as they confront a deluge of cyber threats against critical infrastructure.

The DEF CON Franklin project, launched last year at the DEF CON conference, is scaling up its efforts to safeguard thousands of U.S. water systems across the nation. Originally focused on five water utilities in Indiana, Oregon, Utah, and Vermont, the project has expanded its reach thanks to partnerships with key organisations such as the National Rural Water Association (NRWA), Cyber Resilience Corps, Aspen Digital, and industry leaders [1][2][3].

The expansion of DEF CON Franklin includes a broader geographic reach, aiming to protect small and cash-strapped water utilities that are persistently threatened by state-sponsored actors like China and Iran [1]. The project is also collaborating with NRWA and cybersecurity firms to combine volunteer expertise with free or reduced-cost technology resources, mirroring a managed security service provider (MSSP) model but with multiple companies contributing tools and services [3].

Volunteer cybersecurity professionals are at the heart of DEF CON Franklin, offering advice, assessments, and resilience-building in a no-cost, no-mandate, no-red-tape framework [1][3][4]. Recognising the critical vulnerabilities in Internet of Things (IoT) and industrial control systems within water infrastructure, the project focuses on proper security controls bridging IT and OT environments [4].

DEF CON Franklin is also developing free cybersecurity toolkits and services from partners like Dragos and others to bolster the security posture of water utilities, helping overcome resource constraints and technical gaps [3][5]. One of the project's recent successes was preventing a water facility manager from clicking on a malicious link due to prior warning about phishing attacks [5].

The project is working with water utilities that are small communities, often facing opposition to rate hikes. With limited IT resources, many facilities have no dedicated cybersecurity personnel [6]. To address this, DEF CON Franklin is assisting with cybersecurity basics, such as changing default passwords, turning on multi-factor authentication, asset inventories, operational technology (OT) assessments, network mapping, and scanning [7].

Craig Newmark Philanthropies and vendors like Dragos are providing financial support and free access to OT cybersecurity tools for smaller water, electric, and natural gas providers [8]. As DEF CON Franklin plans to grow massively before the end of the year, it aims to work with thousands of water systems across the country [9].

However, the Chinese government's Volt Typhoon hacking group has already breached hundreds of utilities, including water systems in small municipalities, using connected devices to route network traffic [10]. With the Chinese government potentially still interested in hacking small water utilities that support military installations or important hospitals, the need for DEF CON Franklin's services is more pressing than ever [10].

Partners such as the American Water Works Association, Cyber Solarium 2.0, Red Queen Security, and UnDisruptable27 are also supporting DEF CON Franklin in its mission to provide essential cybersecurity services to water utilities that are often underfunded and unable to afford such services [2]. As the project continues to grow and evolve, it remains committed to protecting the nation's water infrastructure from cyber threats.

References: [1] https://www.wired.com/story/def-con-franklin-cybersecurity-water-utilities/ [2] https://www.cyberscoop.com/def-con-franklin-project-cybersecurity-water-utilities/ [3] https://www.cybersecuritydive.com/news/def-con-franklin-project-scales-up-to-protect-thousands-of-us-water-systems/602865/ [4] https://www.securityweek.com/def-con-franklin-project-focuses-ot-security-water-utilities [5] https://www.cybersecurityintelligence.com/news/def-con-franklin-project-helps-water-facility-manager-avoid-phishing-attack/ [6] https://www.cyberscoop.com/def-con-franklin-cybersecurity-water-utilities/ [7] https://www.securityweek.com/def-con-franklin-project-focuses-ot-security-water-utilities [8] https://www.cybersecuritydive.com/news/def-con-franklin-project-scales-up-to-protect-thousands-of-us-water-systems/602865/ [9] https://www.securityweek.com/def-con-franklin-project-focuses-ot-security-water-utilities [10] https://www.wired.com/story/def-con-franklin-cybersecurity-water-utilities/

1. The expansion of DEF CON Franklin, a project dedicated to safeguarding U.S. water systems, involves collaborating with organizations like the National Rural Water Association (NRWA) and Cyber Resilience Corps in an attempt to protect small, cash-strapped water utilities that are frequently targeted by state-sponsored actors.
2. Recognizing the critical vulnerabilities in Internet of Things (IoT) and industrial control systems within water infrastructure, DEF CON Franklin focuses on providing free cybersecurity toolkits and services to help water utilities improve their security posture, overcome resource constraints, and address technical gaps.
3. To assist water utilities with limited IT resources and no dedicated cybersecurity personnel, DEF CON Franklin offers guidance on cybersecurity basics, such as changing default passwords, turning on multi-factor authentication, asset inventories, operational technology (OT) assessments, network mapping, and scanning.
4. As DEF CON Franklin works to protect thousands of water systems across the nation, it faces challenges from state-sponsored actors like China and Iran, who have already breached hundreds of utilities, including small municipalities, using connected devices to route network traffic.

Read also: