Waterbury joins program to defend water systems from cyber attacks

January 31, 2025  |  By Sandy Yusen  |  Correspondent

Waterbury has signed on to be one of the first municipalities in the country to participate — at no cost — in a program to bolster the cybersecurity of its water and wastewater systems to defend against malicious cyber attacks. 

The program is called DEF CON Franklin and it’s a collaboration between the University of Chicago Harris School of Public Policy’s Cyber Policy Initiative and DEF CON, the world’s largest convention of technologists and the National Rural Water Association. The project is named after Benjamin Franklin who, among his many accomplishments, co-founded the first all-volunteer fire department in the United States.

DEF CON Franklin launched in August at the organization’s conference in Las Vegas, which attracts more than 30,000 annually. It has assembled a volunteer army of professional cybersecurity experts from among its attendees and it is matching them with communities at high risk from cyber threats. 

The volunteers will focus on work in two sectors — water and wastewater systems, and K-12 school systems. Organizers explain that in small communities, these sectors often lack staff to provide oversight to computer systems and keep pace with rapidly changing technology and upgrades, so they can be an easy target for hackers to infiltrate. By using volunteers, the program can be offered for free to participating municipalities. 

Paul Chang, program director of the Harris Cyber Policy Initiative, describes the volunteers as “enthusiasts” from all sectors of the technology industry, including owners of cybersecurity firms, corporate IT staff, and Ph.D. candidates. They share a mission to contribute their expertise to help solve technology problems and aim to help participating communities by sharing best practices, making recommendations, and providing technology support to protect against cyber attacks, Chang said. 

Waterbury fits the bill

Waterbury’s Edward Farrar Utility District, which owns and operates the municipal water and wastewater systems, is one of just six utilities chosen for the project’s first cohort from the roughly 50,000 community water and wastewater facilities across the country. According to Chang, the project’s other participants include a second not-specified Vermont location and systems in Utah, Indiana and Oregon, Chang said. 

Waterbury’s Director of Public Works Bill Woodruff said he was approached last fall by his contact at the Vermont Rural Water Association about the opportunity to participate in this program. 

Woodruff explained that the Vermont organization thought Waterbury fit the “sweet spot” for the program based on its size and the level of technological sophistication at the water and wastewater plants. The EFUD utility district serves a population of approximately 6,000 customers in downtown Waterbury, sections of Waterbury Center, and low-lying areas of Duxbury and Moretown, Woodruff noted. The area includes the Vermont State Office Complex and two local schools. The wastewater system is smaller, covering about two-thirds of the water system’s footprint, Woodruff said.

“We have enough technology but we’re also probably one of those systems who they’re thinking perhaps doesn’t have the safeguards built in that a big system would have,” Woodruff said. EFUD’s small staff of water and wastewater operators does not include a dedicated IT person — the team relies instead on an outside contractor for technology support, he explained.

Woodruff said the Vermont Rural Water Association contact was Brad Roy, who previously worked as a water operator in Waterbury. That experience prompted him to recommend Waterbury as a good match for the program.

“Knowing that it’s something that could be done for free, that perhaps the community could benefit, he’s thinking it would be great if Waterbury could take advantage of this and it could be a win-win for everybody,” Woodruff said.

Woodruff said he believes the timing is right for shoring up Waterbury’s cyber expertise. He has seen dramatic change over his years working in the water treatment industry. “Thirty-five years ago, the water operators wouldn’t access the treatment facilities remotely for any reason,” he said. “The water operators went to the site, they did their thing there. The most important thing was that you locked the doors and kept things secure that way.” 

Now with advances in technology and the shift to working remotely during the COVID-19 pandemic, Woodruff said it’s more common for operators to access systems remotely, which can create technology challenges.

Before signing on to the program, Woodruff read about a cyber attack on a water utility in Florida in which a hacker changed a pump setting for a chemical additive. While the issue was caught before it became a public health hazard, it was a wake-up call for Woodruff because Waterbury uses similar technology. “That hacker could have just as easily picked Waterbury,” he said.

Once Woodruff agreed to participate in DEF CON Franklin, his first step was to select a volunteer partner. “They send out profiles of potential hackers for us to look at their resumes and their credentials and choose who to work with to potentially look into our system,” Woodruff explained. 

The team chose a partner who has since met with Waterbury’s water and wastewater teams on site. “Two weeks ago we had the introductory meeting with the person who will be our hacker,” Woodruff said. “He starts with the introduction of what he knows, our guys tell them what they know, and now we’re going to start moving forward to see where we go.”

From there, the volunteer partner starts the assessment. “They’re going to get the easy things, the passwords, the multi-factor authentication, to see how vulnerable we are there,” Woodruff said. “Then they keep working down in kind of a tiered approach.” 

Chang describes the volunteer work as multi-faceted, customized to the needs of the municipality. The volunteers typically perform an initial assessment, identify areas to address, and make recommendations to secure critical parts of the system. The work may also involve “penetration testing” by the volunteers, who pretend to be bad actors and try to hack into the system. 

Woodruff said he’s eager to see what the effort finds. “I’d love it if they came back and said you guys have been doing great, and we couldn’t get anywhere,” he said. ”I don’t anticipate that happening. I’m honestly hoping they’re going to find something and say there’s a few weaknesses here. This is what you need to do with these recommendations.”

There isn’t a set timeline for when the results are delivered, but Woodruff said he expects it won’t take very long. “They seemed very anxious to get moving. I think this sort of thing excites them, gives them a challenge and they feel like they want to run with it.”

While there is no cost to participate in the program, Woodruff believes the resulting recommendations can help establish a case for future budget allocations for needed, and often expensive, upgrades to the town’s technology infrastructure. “As we move forward, it’s nice to be able to point to our board of directors or our customers and say, hey we’re really vulnerable here, ’x’ number of dollars really need to go in the budget to help cybersecurity, to harden our position so that we’re safe.”

Woodruff explains that it’s important to make this case, because in the past, Waterbury’s financial resources for water and wastewater have been allocated to improvements in physical infrastructure, like replacing water and wastewater lines. While critical, a bolstered cybersecurity presence may not be as noticeable to customers.

A crucial time for cyber protection

Chang said the DEF CON Franklin program and the assistance it provides comes at an especially critical time for public utilities as the U.S. faces increased cyber threats. He describes the myriad of ways that bad actors can wreak havoc on water systems and cause significant public health issues — from “spoofing” sensors that affect chemical additives, to changing alarm settings, to shutting off the flow of water altogether. 

Chang warns that infrastructure threats can arise not just from independent bad actors, but also global adversaries. The project’s press release describes a Chinese-linked cyber threat known to U.S. officials as Volt Typhoon, which has already compromised technology in critical infrastructure across the country. Experts believe that Volt Typhoon is an adversarial strategy to infiltrate U.S. IT infrastructure in anticipation of launching cyberattacks in the event of geopolitical conflict. 

“What they’re doing is burrowing into this infrastructure so that when the time comes in the event of a conflict they would be able to paralyze our networks from within. So it’s a pre-positioning effort,” Chang said. 

Last spring, the federal Environmental Protection Agency issued an enforcement alert urging water utilities to take action to protect the drinking water of their communities, warning of the increased frequency and severity of cyberattacks. In October, American Water, the country’s largest water utility, was targeted in a cyber attack that impacted its 14 million customers across 14 states. Other attacks on water systems have occurred in Texas, Pennsylvania, Maine and other states. 

Fortunately, Waterbury has not yet been the victim of a cyber attack, although Woodruff admits, “Who’s to say that they haven’t targeted us and been unsuccessful? You don’t know. We have a lot of fail-safes built in but it’s not to say they don’t know that as well…there’s ways to get around those things and it becomes a huge public health issue,” he said. 

One of the deliverables Woodruff is hoping for from the project is an incident response plan if a cyber attack does take place. Chang noted that in considering cyber threats, the public may not consider water systems as a high vulnerability. “A lot of people think about hospitals or banks being hacked but when you get to the deeper root of what’s happening here, it’s really everything at stake – traffic lights, your energy, water – you name it, everything you need to get by,” he said.

Chang hopes that Waterbury’s early involvement in the program can serve as a successful model to encourage more communities to sign on in the future. 

“Bill and all the other guys at the Public Works Department have been really gracious and have been able to have the foresight to be one of the first in the nation to take part in this,” he said. “Our hope is obviously to really get these six up and going as a beacon of success, and then through that and great coverage we’ll be able to build through word of mouth.”

Woodruff wants residents to see this initiative as a way to safeguard the town’s water systems for the future. He cites Waterbury’s long success in ensuring a reliable water supply, and its strong track record of addressing infrastructure shortcomings. “Over the last 30 years we have replaced almost every pipe in town,” he pointed out. 

“Right now I feel our systems are extremely safe,” he stressed. “Providing safe, potable water is job-one for us – has been for years. And while we have built a treatment plant to guarantee that bacteria and coliform form aren’t in your water, we’ve now deemed there are other safeguards that have to happen that weren’t necessarily threats 30 years ago or even 100 years ago. It’s just the latest threat.”