Chris Hughes, assistant water and wastewater operator for Cavendish and Proctorsville, Vermont, addresses challenges caused by a power failure at a local drinking water plant.
Claire Harbage/NPR
hide caption
toggle caption
Claire Harbage/NPR
Near the renowned Okemo ski area in southern Vermont lies a modest town where water flows steadily from the back of its treatment plant.
For Chris Hughes, who serves as the assistant operator for water and wastewater in Cavendish and Proctorsville, this is just another routine challenge. Recently, he suspects a lightning strike interfered with the water purification process. Other common issues include iron accumulation, missing manhole covers, or the frequent clogging caused by so-called “flushable” wipes. “Though I haven’t held many jobs, this one is by far the most fascinating,” Hughes shared during a facility walkthrough. “You really have to care about it.”
While Hughes excels at troubleshooting physical problems, a new menace has emerged: cyber intrusions targeting water systems.
This threat is not hypothetical; it is a reality unfolding across the United States.
In November 2023, hackers linked to Iran breached the computer network of a water treatment plant in Aliquippa, Pennsylvania, displaying anti-Israel propaganda.
In December 2023, the Municipal Water Authority of Aliquippa, Pennsylvania, was among several U.S. organizations compromised by Iran-linked hackers targeting Israeli-made industrial control devices, according to U.S. and Israeli officials.
Gene J Puskar/AP
hide caption
toggle caption
Gene J Puskar/AP
In January 2024, a water system in rural Muleshoe, Texas, experienced an overflow linked to cyberattacks attributed to Russian hacktivists.
Moreover, U.S. authorities report that Chinese cyber operatives have deeply infiltrated American critical infrastructure, including water utilities, as part of preparations for potential future conflicts.
The U.S. Environmental Protection Agency has recognized this as an escalating issue, noting that cyberattacks on community water systems are becoming more frequent and severe nationwide.
In response, Hughes and his communities are partaking in a pilot initiative that connects critical infrastructure operators with cybersecurity volunteers.
The challenge ahead is formidable.
Hughes expresses concern over potential cyberattacks targeting the local water infrastructure.
Claire Harbage
hide caption
toggle caption
Claire Harbage
Historically, hackers may have refrained from disrupting essential services due to fears of retaliation or escalation. However, with limited consequences and lucrative payoffs, cybercriminals increasingly target vital infrastructure, leveraging control to instill fear, cause chaos, advance geopolitical agendas, or simply profit.
Meanwhile, operators of over 50,000 public water systems across the U.S. face the daunting task of ensuring safe water delivery amid aging infrastructure and limited budgets. The introduction of new technologies, while necessary, also opens doors to fresh cyber vulnerabilities. This growing threat looms as federal cybersecurity funding faces potential cuts.
“It’s unnerving to realize I might be the only barrier between foreign adversaries and our water supply,” Hughes admitted.
“I don’t have the expertise to fend off international hackers, so it makes me wonder what could happen,” he added.
Hughes walks near the point where treated water is released into the Black River.
Claire Harbage
hide caption
toggle caption
Claire Harbage
Introducing Project Franklin
Hughes is involved in Project Franklin, an initiative spearheaded by cybersecurity leaders including volunteers from the renowned DEF CON hacker conference, the University of Chicago Harris School of Public Policy, and the Craig Newmark Foundation.
Named after Benjamin Franklin, the project aims to connect the vast DEF CON community-comprising nearly 30,000 hackers-with operators of critical U.S. infrastructure.
This grassroots movement is part of a broader effort to safeguard the nation’s complex infrastructure network, spanning hospitals, schools, dams, and power grids. While some corporations contribute technology and expertise, nonprofits focus on raising awareness and implementing foundational cybersecurity measures to defend against both common and advanced cyber threats.
Project Franklin’s founders, including former White House Acting Principal Deputy National Cyber Director Jake Braun and DEF CON founder Jeff Moss, initially concentrated on water systems by partnering with the National Rural Water Association.
“After my tenure in the Biden administration, a significant concern emerged: Chinese hackers infiltrating water utilities to implant malware in preparation for a potential conflict over Taiwan, enabling them to disrupt water supplies nationwide,” Braun explained. This threat is linked to the Chinese group known as Volt Typhoon, notorious for its stealth and persistence.
The initiative hopes that seasoned volunteers-many with backgrounds in government cybersecurity, intelligence, or corporate security-will engage with infrastructure operators to enhance defenses. Additionally, cybersecurity firms like Cloudflare and Dragos are donating tools to help scale protective measures across the country.
“Initially, many operators wonder why anyone would target them,” Braun noted. “But as news of water utility hacks spreads, awareness is growing rapidly.”
On-site in Cavendish
The water treatment plant’s exterior in Cavendish, Vermont.
Claire Harbage/NPR
hide caption
toggle caption
Claire Harbage/NPR
Only two individuals oversee the water and wastewater treatment facilities serving Cavendish and Proctorsville. Their responsibilities include removing pollutants from wastewater, chlorinating it, processing it through lagoons where bacteria further cleanse it, and releasing it back into the Black River. They also filter out iron from drinking water before distribution. A tour reveals essential components such as pumps maintaining pressure and sand beds filtering iron.
However, the job is multifaceted and unpredictable. Hughes recounted, “Yesterday, I spent hours trudging through tall grass searching for a manhole cover that leads to a valve pit controlling water flow.” He emphasized the blend of science, mathematics, and physical labor involved.
The facilities largely remain as they were when constructed following the 1972 Clean Water Act, which mandated pollution control and wetland protection.
“Everything here is original except for the addition of one lagoon,” Hughes noted, pointing to a small onsite pond where bacteria treat wastewater biologically. “This dates back to 1975.”
Vermont has faced natural disasters before, such as Hurricane Irene in 2011, which caused floods and fatalities, including among water operators in nearby Rutland. “Disasters can take many forms,” Hughes reflected. “We need to prepare for all possibilities.”
Hughes is one of two operators managing water and wastewater treatment for Cavendish and Proctorsville.
Claire Harbage
hide caption
toggle caption
Claire Harbage
Hughes admits that the possibility of a cyberattack is unsettling. “I sometimes wonder what lengths someone might go to,” he said. “But it’s a real concern.”
Fortunately, Cavendish’s water control systems, including SCADA (supervisory control and data acquisition) technology, remain offline from the internet. Commands and data inputs are handled manually, a practice born from budget constraints but one that currently offers a layer of protection.
“With limited funds, we do what’s necessary,” Hughes explained.
This offline status provides an ideal environment to educate operators like Hughes on cybersecurity before systems become fully connected.
Robert Lee, a former NSA expert and founder of Dragos, highlighted that many SCADA systems have recently been connected to networks without sufficient security considerations. He testified before the House Homeland Security Committee in February 2024 about the water sector’s vulnerabilities.
“Historically, many water sites were isolated and difficult to access,” Lee said. “But as upgrades push connectivity, these systems become easier targets.”
A hydroelectric plant on the Black River near where treated water is discharged. Many local water facilities have seen only minor updates since the 1970s.
Claire Harbage
hide caption
toggle caption
Claire Harbage
Lee also noted that nation-state actors are increasingly sharing hacking techniques with criminal groups, amplifying the damage caused by cyberattacks.
“Communities rely heavily on their water systems and will do anything to restore them quickly,” Lee said.
Hughes is eager to adopt new technologies, such as a scanner that will automate water meter readings by driving past homes instead of stopping at each one. “Technology is inevitable; we must embrace it,” he said.
Yet, he approaches this future cautiously, supported by a team of cybersecurity specialists.
During a recent visit to Cavendish’s water facilities, two experts joined Hughes: Tim Pappa, a former FBI agent volunteering with Project Franklin, who advises on cyber hygiene and crime prevention; and Forest Anderson, a Vermont water operator involved in a pilot program funded by Congress and managed by the U.S. Department of Agriculture and the White House’s Office of the National Cyber Director, known as the Circuit Rider Program.
Forest Anderson travels Vermont assessing cybersecurity risks in water systems, shown here with devices that could pose security challenges.
Claire Harbage
hide caption
toggle caption
Claire Harbage
Anderson and Pappa bring a fresh perspective, helping Hughes anticipate hacker tactics that could undermine water operations. Though Cavendish seems tranquil, its proximity to ski resorts and defense contractors makes it a more enticing target than it appears.
Anderson highlighted the persistent threat from Volt Typhoon, the Chinese cyber group embedding itself in critical infrastructure ahead of possible conflict scenarios. These hackers could manipulate water flow to incite panic and hinder military responses, especially if tensions escalate over Taiwan.
“Volt Typhoon is active in New England,” Anderson warned. “Things are unfolding in real time. Cutting cybersecurity funding now would be reckless.” Lee confirmed Dragos continues to observe significant activity linked to this group, despite less public alarm from officials.
Anderson, fluent in water operations jargon, and Hughes both express concern over “water hammer” events-pipe bursts caused by sudden pressure changes. A hacker could trigger such damage by repeatedly toggling water flow.
Tim Pappa, former FBI agent and Project Franklin volunteer, provides guidance on digital hygiene and cybercrime prevention.
Claire Harbage
hide caption
toggle caption
Claire Harbage
“It’s like an ocean wave suddenly reversing direction, causing rapid and destructive pressure,” Hughes explained, reflecting on this alarming cyber sabotage possibility.
Pappa, though not a technical specialist, has extensive experience in cybersecurity from his FBI and private sector work. He has been mentoring Hughes since the program’s inception, helping him understand hacker mindsets and potential attack scenarios. Pappa hopes Hughes’s example will motivate other infrastructure operators to prioritize cybersecurity and deter attackers by raising awareness.
“Once others see how things are done here, they’ll be inspired to adopt similar practices,” Pappa said. “Attackers will think twice if they know operators are vigilant.”
On-site, Anderson and Pappa have begun implementing straightforward security measures: hiding WiFi passwords, establishing password management systems, installing network monitoring tools, and backing up critical data to prepare for disasters-whether natural or malicious.
“Right now, we’re exposed like a deer in the open field,” Anderson remarked. “We need to get into the woods-make ourselves harder targets.”
A large tank stores a reserve of drinking water in the woods near Cavendish.
Claire Harbage/NPR
hide caption
toggle caption
Claire Harbage/NPR
A Worldwide Challenge
The threat of cyberattacks on critical infrastructure extends far beyond Vermont or the United States. Globally, such incidents are increasing, underscoring the urgent need to fortify these essential systems as adversaries refine their tactics.
In addition to the Chinese threat, Rob Lee of Dragos points to the ongoing conflict in Ukraine as a catalyst for heightened cybersecurity efforts.
Russian hackers have repeatedly targeted Ukraine’s power grid, and Norwegian authorities recently accused Russian operatives of sabotaging a dam, causing flooding. Concerns persist that Russia might retaliate against Western infrastructure for support given to Ukraine.
While catastrophic scenarios have yet to fully materialize, Lee views this moment as an opportunity to raise awareness. Since the invasion of Ukraine, Dragos has provided free cybersecurity services to critical infrastructure operators unable to afford protection. The company recently partnered with Project Franklin to promote these resources and ensure they reach those in need.
“We’ve been operational for years,” Lee said. “Now, we just need more people to know about us.”
