Cybersecurity volunteers, identified as hackers, prepare to offer assistance to water utility companies.
In an era where the vulnerability of medium to small municipal water systems to hacking is increasingly evident, a community-driven cybersecurity protection initiative is making waves. This initiative brings together ethical "white-hat" hacker volunteers, collaborating with water utilities to identify and fix cybersecurity vulnerabilities in smaller and medium-sized water systems.
The collaboration involves experts from hacker communities such as DEF CON, academia, industry, and philanthropy, providing tailored cybersecurity support to the water sector. The goal is to protect drinking water, public health, and national resilience from cyber threats.
Simultaneously, New York State has launched a significant cybersecurity protection program. This program combines enforceable regulations and a $2.5 million grant program to help public water systems adopt robust cybersecurity measures. The regulations target public water systems serving more than 3,300 residents, with compliance required starting January 2027 for mid-sized systems (3,300-50,000 people).
The New York’s Cybersecurity Regulations, proposed by the Department of Health and Environmental Conservation, require water systems to conduct vulnerability analyses, incident reporting within 24 hours, cybersecurity training for staff, and appoint senior cybersecurity executives for larger systems.
The grant program, administered by the Environmental Facilities Corporation (EFC), aims to offset costs like risk assessments and technical safeguards, helping utilities, especially under-resourced ones, modernize their defenses against increasingly sophisticated cyberattacks.
The National Rural Water Association is also partnering with DEF CON Franklin, Cyber Resilience Corps, Aspen Digital, the American Water Works Association, and UnDisruptable27 to provide cybersecurity support to small and medium municipal water systems. Jake Braun, co-founder of the DEF CON hacker convention, stated that this initiative brings together top minds from DEF CON, academia, industry, and philanthropy to provide support for the water sector.
The program has already deployed teams in Indiana, Oregon, Utah, and Vermont to offer no-cost support on network mapping, password protocols, and OT assessments. In November 2023, hackers with ties to the Iranian government hacked into the Municipal Water Authority of Aliquippa in Pennsylvania, underscoring the need for such initiatives.
Matt Holmes, the CEO of the National Rural Water Association, stated that this partnership is crucial for communities that need world-class cybersecurity expertise, especially the "little guys" who may not have the resources to protect themselves. The announcement was made at DEF CON 2025 in Las Vegas, an annual conference that brings together cybersecurity professionals from around the world.
Experts have warned that an attack on a water utility facility could have devastating consequences, including shutting off access to water, creating a chemical imbalance in the water, and potentially poisoning people. The volunteers, who are ethical hackers, run through vulnerabilities in an effort to strengthen the cybersecurity system.
This multi-pronged approach, combining regulation, funded support, and expert volunteer involvement, is set to deploy progressively, with New York’s compliance deadlines beginning January 2027 and ongoing engagement from hacker volunteers ramping up from 2025 onward. Leading figures like Senator Kirsten Gillibrand emphasize that safeguarding water infrastructure against cyber threats is a critical national security concern, with these state and community-driven efforts aiming to fill existing protection gaps in smaller utilities often lacking required resources. The group has plans for more deployments in the future.
- The collaboration between ethical hackers, such as those from DEF CON, and water utilities aims to protect public health and national resilience by providing tailored cybersecurity support to smaller and medium-sized water systems.
- In an effort to fill existing protection gaps, the National Rural Water Association, along with several partners, is deploying teams of ethical hackers to offer no-cost support on network mapping, password protocols, and OT assessments to small and medium municipal water systems nationwide.
