In a small town in southern Vermont, not far from the lauded ski slopes of Okemo, there's water gushing out of the back of a treatment facility.
For Chris Hughes, the assistant water and wastewater operator for the towns of Cavendish and Proctorsville, it's just another problem and another day on the job. This time, he's pretty sure a lightning strike disrupted the water treatment process. Other times, it's a build-up of iron in the system, a missing manhole cover, or an influx of "flushable" wipes, which he says routinely gum up the system. "I haven't had a lot of jobs, but it is by far the most interesting job that I've ever had," he told NPR during a tour of the facilities. "And so you have to … you have to like it. You have to kind of care."
Hughes is a master at fixing whatever's broken. But now, he's facing a new threat: hackers burrowing into the system and wreaking havoc.
It's not a fantasy or some far-off possibility; it's already happening all over the United States.
Iranian hackers infiltrated computer systems at a water treatment plant in Aliquippa, Pa., to display anti-Israel messages in November of 2023.
A water system overflowed in rural Muleshoe, Texas, in January of 2024, an attack that's been linked to Russian hacktivists.
And across the country in recent years, U.S. officials say, Chinese hackers have burrowed deep inside American critical infrastructure, including its water systems, in order to prepare for a potential future conflict with the United States.
Those are just a few examples of what the U.S. Environmental Protection Agency has labeled a growing problem, concluding that "cyberattacks against [community water systems]" are "increasing in frequency and severity across the country."
Now, as the threat grows, Hughes and the towns he represents are participating in a pilot program pairing the people who run American critical infrastructure with volunteers who know how to secure it.
They've got a difficult task ahead of them.
Hackers might have hesitated in the past to intentionally disrupt the systems that underpin American society, fearing retaliation or escalation. But after years of minimal consequences and hefty financial rewards, hackers have increasingly targeted critical infrastructure, understanding that holding these systems hostage gives them unique leverage in achieving their goals — whether that's spreading fear, wreaking havoc, pushing for certain geopolitical aims or simply making money.
Meanwhile, water and wastewater operators at over 50,000 public water systems across the United States are already burdened by the complex, technical and constantly changing job of making sure their cities and towns are supplied with clean water. They have unique needs and extremely limited resources.Their systems are antiquated, while long-awaited technological updates could introduce even more new digital vulnerabilities. Plus, those threats are ramping up at a time when the experts fear the Trump administration will continue slashing federal funding for cybersecurity.
"It's scary that I'm the only door between you know, the Iranians, and our water system," said Hughes.
"It kind of makes me a little nervous. I don't really have the background to be fending off foreign entities, you know ... and so it makes me think a little bit, what could happen?" Hughes said.
Project Franklin
Hughes is participating in a new project created by some of the biggest players in cybersecurity, including volunteers from the massive DEF CON hacker conference hosted annually in Las Vegas as well as from the University of Chicago Harris School of Public Policy and the Craig Newmark Foundation.
It's called Project Franklin, named after U.S. founding father Benjamin Franklin, and the goal is to link experts from the DEF CON community, close to 30,000 hackers in total, with the people who run U.S. critical infrastructure.
It's one of a growing number of grassroots efforts currently focused on finding ways to secure the sprawling, complex network of infrastructure across the United States, from hospitals and schools to dams and electric grids. Some companies are donating time and technology, while other nonprofits are delivering expertise and assistance. For many sectors, the challenge is first increasing awareness of the growing digital threat, before applying basic principles to stop many of the most common kinds of cyberattacks — then crafting solutions that could help defend these networks from more sophisticated actors on a massive scale.
The architects of Project Franklin, former White House Acting Principal Deputy National Cyber Director Jake Braun and DEF CON founder Jeff Moss, first set their sights on water — partnering with the National Rural Water Association.
"After I left the Biden administration, there was a new huge problem, which was the Chinese hacking our water utilities to pre-position malware in the case of a conflict over Taiwan, so that they can shut off the water in cities all over the country," explained Braun. He's referring to the threat posed by a Chinese group U.S. officials call Volt Typhoon, which has been notoriously active and difficult to detect.
The hope is that volunteers, many of whom have had long careers in government cybersecurity or intelligence or in large corporations, will be able to start a conversation with the people managing the critical machines that power American society. A new component of Project Franklin will also see tools donated by top cybersecurity companies like Cloudflare and Dragos, in an attempt to scale resources to make meaningful security improvements across the country.
"We talk to folks, and they're like wait, why would anybody want to hack us?" Braun explains. "But I think all the news about water utilities being hacked, they're coming around pretty quick."
On the ground in Cavendish
There are just two men tasked with operating the water and wastewater treatment plants that service Cavendish and Proctorsville, Vt. The operations are fairly straightforward: removing contaminants from wastewater and treating it with chlorine, running it through lagoons where bacteria continue to remove waste, and returning it to the Black River, while removing elements like iron from drinking water before pumping it into nearby homes. A tour of both facilities reveals the basic components involved, from pumps that maintain water pressure to sand at the bottom of massive barrels that helps sift iron out of the water.
There's a lot, however, that can go wrong. "It entails a lot of different jobs within the one," explained Hughes. "Our day can be anything and everything. Just yesterday I spent the better part of the day wading through five foot tall grass looking for a manhole cover that opens and leads to a valve pit where one of our water control valves is," he said. "It's a lot of math, a lot of science. It's also a physical job," he continued.
In this area of Vermont, things look pretty similar to how they did when these facilities were first built after the U.S. government passed the Clean Water Act of 1972, requiring states to address pollution and maintain clean water and wastewater, while protecting natural wetlands.
"Everything you see has always been here," Hughes said in the office of the wastewater treatment plant on the side of the road in Cavendish. "Besides adding one of these lagoons, nothing else has changed," pointing to a small body of water onsite where biological wastewater is treated with bacteria. "This is original from 1975."
This area of Vermont is no stranger to disaster. Hurricane Irene struck Vermont in the summer of 2011, causing floods that led to destruction and even deaths, including the father and son team managing water operations in nearby Rutland. "Some people say, well that will never happen again, but disaster can look a lot of different ways," said Hughes. "Maybe we should be thinking about how to prepare."
That could include a digital disaster. "Sometimes I think, what would someone really stoop to," said Hughes. "But it could happen. A lot of things can happen, it's scary."
But Cavendish actually has a kind of headstart. Most of the local systems that control the water treatment processes there, including the technology systems known as SCADA systems, which stands for supervisory control and data acquisition systems, are not connected to the internet. Hughes and his boss have to manage inputs and enter commands manually.
"It's a small town budget, so we just do what we have to do," explains Hughes.
While that requires a lot of on-site attention and diligence, it actually makes Cavendish a good place to start educating people like Hughes about securing his digital systems before everything goes online.
According to Robert Lee, a former NSA veteran who founded Dragos to focus on securing critical infrastructure, many SCADA systems have had connectivity bolted on in recent years without much thought about how that would make those systems more vulnerable to outside manipulation. He testified before the House Homeland Security Committee on threats to the water sector in February, 2024.
"A lot of these water sites were historically disconnected and harder to get to," he told NPR. "But as these upgrades are taking place, forced oftentimes on water utilities from vendors … the connectivity that's being pushed and these upgrades mean a lot of our systems that were previously offline are going online … and they're easier to target," he said.
More recently, Lee says his company is seeing bad actors, including well-resourced nation-states, share information with rogue actors in the last year or so, helping criminals and hacktivists cause more damage.
"Because these systems are so critical to towns, these communities will do almost anything to get their water systems back up and running," Lee explained.
Hughes said he looks forward to introducing some automation into his work, including a scanner that will soon allow him to drive past homes and automatically pick up water meter readings rather than stopping at each individual house. "We can't avoid technology, we have to embrace it because it's the way of the future," he said.
But Hughes is walking into that future with clear eyes, thanks in part to a team of experts who have recently assembled to help him with digital threats.
During a tour of the Cavendish water facilities, two independent experts took part: Tim Pappa, a former FBI agent and volunteer for Project Franklin who's been advising Hughes on the basics of digital hygiene and cybercrime, and Forest Anderson, another Vermont water operator who recently started working in a pilot program funded by Congress and run through the U.S. Department of Agriculture and the Office of the National Cyber Director at the White House called the Circuit Rider Program.
A big part of the expertise Anderson and Pappa bring to Hughes and his work is the ability to think differently: to imagine the kinds of things hackers might do to subvert water operations. While Cavendish may appear small and sleepy, it's a vital New England hub nearby glitzy ski resorts and major defense contractors, making it a more attractive target for disruption than it might at first appear.
Anderson specifically pointed to the ongoing threat posed by Volt Typhoon, the Chinese nation-state group focused on embedding itself in critical infrastructure in advance of a potential conflict with the United States. Those hackers could take advantage of access to systems they're invading now, to disrupt water flow and cause people to panic across the country and prevent the U.S. military from responding in the event of a conflict like China invading Taiwan, U.S. officials have explained.
"Volt Typhoon is in New England," said Anderson. "Things are happening. I can't talk too much about it, but things are happening in real time. And it'd be really foolish right now to take any sort of funding away for critical infrastructure for cybersecurity." Lee, for his part, confirmed that Dragos is seeing "a lot" of activity tied to what looks like Volt Typhoon, despite the fact that U.S. government officials aren't raising the alarm as frequently in public anymore.
Anderson, though working in a new role, speaks the same language as Hughes when it comes to water operations, dropping terms like 'bug farmers,' which means water operators who cultivate bacteria to clean wastewater.
And they both tense up when thinking about water hammers, a disaster where a pipe explodes because of constantly fluctuating pressure. A bad actor could create a water hammer "by flicking it on and off," explained Anderson. "It could be devastating."
"It's like a wave in the ocean traveling in one direction and suddenly stopping and reversing direction all at once," said Hughes. "The water is heavy so it can quickly cause damage … I hadn't thought of that," he said, referring to this nightmarish hacker scenario.
Pappa says he's been on the phone with Hughes since the program started, helping him think through potential scenarios and understand how bad actors think. He doesn't consider himself a technical expert, but he's spent years at the FBI and in the private sector thinking about cybersecurity. He says he believes that Hughes and his story should help inspire other critical infrastructure operators to start taking these concerns seriously, while making bad actors think twice about spending valuable time and resources targeting facilities with an awareness of potential threats.
"I'm sure once people start seeing how you do things here, and the kind of behaviors you model … it's gonna influence them … they're just looking for people like them doing the same kind of things," Pappa said.
While on site in Cavendish, Anderson and Pappa begin implementing basic solutions to protect the systems, from covering up the WiFi password on the router and setting up a password storage management system to installing tools that will help monitor the network and saving backups of vital data in the event of a disaster — whether that's a flood, or some kind of attack.
"Right now is hunting season. We are the six point buck in the field and right now our threat profile is all there," explained Anderson. "We're just hanging out in the field right now. We need to get in the woods. It's a lot harder to hit a target in the woods."
A global problem
It's not just Vermont, or even the United States, that faces a serious threat from hackers targeting critical infrastructure. More and more, these kinds of attacks are taking place around the world, increasing the urgency required to secure these systems as adversaries continue to better learn how they work and how to better take advantage of them.
Beyond the imminent threat posed by Chinese hackers and Volt Typhoon, Rob Lee of Dragos cites the war in Ukraine as a big driver for choosing to donate the company's tools to infrastructure operators.
Russian hackers have routinely targeted Ukraine's electric grid, while Norwegian police recently accused Russian hackers of sabotaging a dam and causing it to overflow. There's long been concern that Russian hackers would target Western companies and infrastructure in retaliation for supporting Ukraine.
While doomsday scenarios have yet to fully play out, people like Lee see the moment as an opportunity to spread the word. Since Russia invaded Ukraine, Dragos has been offering free cybersecurity services, particularly to critical infrastructure operators who can't afford to pay for protection. They recently teamed up with Project Franklin to help spread the word about what they're offering and make sure the right tools make their way to the people who might someday need them.
"We've been up and running for years," explained Lee. "We just need more people to know about it."
Copyright 2025 NPR
