Chris Hughes knows it might be a bit paranoid to worry that he could be hit with a ransom demand or targeted by foreign governments seeking to weaken the U.S. ahead of potential armed conflict.
After all, he runs the water and wastewater treatment plants in a small southern Vermont town — not exactly Fort Knox or the Pentagon. “Why would anybody in China care about Cavendish, right?” Hughes asked.
And yet Hughes has no choice but to take such matters seriously these days. Recent cyberattacks on critical U.S. infrastructure, including water facilities, have demonstrated the lengths that hackers will go to wreak havoc on American society.
Luckily for Hughes, and for the hundreds of people in Cavendish who rely on his plant for safe drinking water, a former Federal Bureau of Investigation agent has been helping him shore up his cyber defenses.
The unlikely pairing is the result of a grassroots initiative spawned by some of the nation’s foremost experts on cybersecurity. It’s known as Project Franklin, and it aims to connect the people in charge of vital U.S. infrastructure with those who know how to protect it.
Project Franklin’s first goal is to help safeguard America’s 50,000 water and wastewater facilities, because “having clean water and available water is central to human existence,” Jake Braun, a former White House official, told Seven Days.
Braun, executive director of the Cyber Policy Initiative at the University of Chicago, created Project Franklin with Jeff Moss, who’s best known for founding the massive annual Las Vegas hacking convention known as DEF CON. The project has drawn volunteers from across the country and receives funding from Craig Newmark Philanthropies that will allow it to be a free service in perpetuity, Braun said.
The goal is for the volunteers — many of whom have spent careers working in cybersecurity at the U.S. Department of Homeland Security, Microsoft, Amazon and elsewhere — to help water operators better understand their cyber vulnerabilities, then suggest ways to reduce risks.
It’s the equivalent of a homeowner “turning the lights on, putting dead bolts in the door and having a little sign outside that says ‘Watched by ADP security,’” Braun said. “It won’t make you impenetrable. But you may make it hard enough that the bad guys will just say, ‘Forget it.’”
America’s water infrastructure has until now been an easy target, in part because so many systems have increased their reliance on technology without giving much thought to how susceptible it makes them to hacks. Cyberattackers in recent years have infiltrated American Water, the nation’s largest publicly traded utility; taken credit for a water system overflow in rural Texas; and burrowed into the control systems of a Massachusetts water system, where they remained undetected for months.
“Having clean water and available water is central to human existence.”
Jake Braun
The rising wave of cybercrime prompted the U.S. Environmental Protection Agency to issue a warning last year that 70 percent of inspected water systems were not fully complying with new regulations put in place under the Safe Drinking Water Act. The agency cited some “alarming” vulnerabilities: default passwords that had not been updated, a single login for all staff and a failure to revoke access from former employees.
Some water utility hacks have been linked to cybercriminals backed by U.S. geopolitical rivals, such as the state-sponsored Chinese effort dubbed “Volt Typhoon” that the FBI says has compromised more than 200 American utilities, including some small water systems. But the bigger threat at the moment continues to be cybercriminals seeking money, according to Braun, who recalled hundreds of hours spent in the White House Situation Room discussing ransomware attacks during the Biden presidential administration. This form of cybercrime occurs when hackers break into and lock up a computer system until the victim pays for its release.
Small businesses and utilities hit with ransomware have few places to turn for help. Local law enforcement agencies don’t have the technical capabilities to respond to most cybercrimes, while federal authorities are too busy dealing with larger-scale attacks, such as the 2023 hack that brought operations at the University of Vermont Medical Center to a halt for months and cost tens of millions of dollars to resolve. Because water systems are so critical, Braun said, communities will often do whatever it takes to get them back up and running, even if that means paying a large sum.
The most important thing a utility can do, then, is to prevent hackers from getting inside in the first place. That’s where Project Franklin says it can help. Volunteers meet with water operators and suggest ways to strengthen their defenses, from basic best practices, such as changing all default passwords and installing multifactor authentication, to more advanced measures, such as penetration testing, which involves simulating an attack against a computer system to identify its vulnerabilities.
In partnership with the National Rural Water Association, Project Franklin selected five pilot sites last year, including Cavendish, where Hughes is one of only two people in charge of the water and wastewater systems.
The two separate plants contain a maze of pipes, pumps and water barrels. Hughes spends his days balancing the routine — ensuring the correct chemical balances and data entry — with the unexpected, such as service calls to one of the system’s households or investigations of a pump station gone haywire.
“You either love it or you don’t, because it has its challenges,” Hughes said. “Every day is something different.”
Since becoming a water operator about 10 years ago, Hughes, 41, had given little thought to cybersecurity. “I was under the assumption the way our system works, with a plug-in phone line, that we were kind of impervious to problems,” he said. “That’s not entirely the case.” Determined hackers might break into the desktop computer that’s connected to the water plant’s treatment system, which would allow them to stop the flow or alter chemical levels.
Hughes was given the chance to select from a broad pool of volunteer candidates and ultimately landed on Tim Pappa, a former FBI agent who worked as a profiler focused on cyberattackers.
Pappa’s 16 years at the bureau gave him insight into the residual psychological effects that cyberattacks can have on the broader public. He began to suspect that some hacks were carried out to simply prove they could be done. When he left the bureau last year for a job in the private sector, he joined the Project Franklin volunteer pool with a single question on his mind: “If bad actors are trying to make Americans think they’re vulnerable, how can we change that?” he said.
Pappa began meeting virtually with Hughes to learn more about his workflow and existing digital hygiene practices. During an August visit to Cavendish, a town near the Okemo ski resort in southeastern Vermont, Pappa initially drove by the water plant — he hadn’t realized it was at the end of a dirt road.
Hughes has received some additional assistance from Forest Anderson, a former Vermont water operator who now works for the Vermont Rural Water Association. The nonprofit was chosen for a separate government-funded pilot program to help water utilities bolster their cybersecurity efforts, and Anderson has spent the past year traveling around Vermont, visiting dozens of water and wastewater facilities.
The two outside experts have helped Hughes implement changes ranging from covering up the Wi-Fi password on the plant’s router to using digital tools to monitor his network for attacks. Hughes has also learned how to create a mirror of his computer system on a separate hard drive, so that he can quickly revive it in the event of a disaster, natural or otherwise.
He said he better understands how bad actors think, lessons that should help him more safely introduce additional technology into his workflow.
“They’ve opened my eyes to a lot,” Hughes said of Pappa and Anderson.
Braun, the cocreator of Project Franklin, said water operators who participate in the program will receive ongoing support well beyond the initial consultations. He’s also hoping to expand into more states and said he has hundreds of volunteers waiting in the wings. He just has to find places to send them.
“I stupidly thought once we announced this that I’d have 49,000 of the 50,000 water utilities raise their hand and say, ‘Yes, we want free help,’” Braun said. Instead, he said, those who run America’s water systems are much like those in other industries: skeptical of outsiders telling them what to do.
Some operators have come around after recent hacks of nearby water systems. The success of the pilot program has also helped. A water facility from the state of Washington recently called Hughes after hearing about Project Franklin.
“Some simply need some validation from other utilities who can say this has worked for them,” Braun said.
Project Franklin is now working with private companies on free tools utilities can use to make quick cybersecurity improvements. The goal, Braun said, is to reach most, if not all, of America’s water facilities in some form within the next decade.
It’s an ambitious target, but necessarily so, Braun said, “because the threats are real — and imminent.”
The original print version of this article was headlined “Testing the Waters | Cyberattacks against critical U.S. infrastructure are rising. In tiny Cavendish, volunteers are trying to help.”
This article appears in The Tech Issue 2025.
Got something to say?
Send a letter to the editor and we'll publish your feedback in print!