Sign in / up

back to article Volunteer DEF CON hackers dive into America's leaky water infrastructure

A plan for hackers to help secure America's critical infrastructure has kicked off with six US water companies signing up to let coders kick the tires of their computer systems and fix any vulnerabilities. Launched at this year's DEF CON, the Franklin project is a scheme to shore up key systems by using the skills of top …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Will Godfrey Silver badge
    Meh

    Curate's Egg

    It's good that the hackers have stepped up to the plate, but a poor commentary on the water authorities. Also there is the risk they may now make even less effort (if that's possible) when they can get the job done for them.

    10 2 Reply
    1. EricB123 Silver badge
      Reply Icon

      Re: Curate's Egg

      Who in their rigjt mind could down vote this, besides a terrorist?

      6 0 Reply
    2. imanidiot Silver badge
      Reply Icon

      Re: Curate's Egg

      No work is done for them. These white-hats can only point out where the weaknesses are and suggest ways they might be mitigated but doing the actual work is still up to the water authorities. It also takes active steps from the water authorities themselves to be willing to step up and listen to find out the problems. It's highly unlikely they'd become MORE complacent as a result of this as they'd have to become active in the first place

      3 1 Reply
      1. phuzz Silver badge
        Reply Icon
        Facepalm

        Re: Curate's Egg

        Unfortunately I do expect a lot of the exchanges to go:

        "You're using device X which is very old and insecure, you should upgrade it"

        "We don't have the budget for that"

        3 0 Reply
  2. jokerscrowbar
    FAIL

    Worked on this problem when they were switching the dams and levies from land-line to 3G control systems. i.e. Less weatherproof and more easily over-ridden.

    No matter what tech they use a simple chemical poison in the tributary or a mortar in the floodgate will render it useless

    As we saw in Texas, they couldn’t figure a way to stop their pumps from freezing when they were pumping HEATING gas. No genius system is idiot-proof.

    4 3 Reply
    1. MachDiamond Silver badge
      Reply Icon

      "No matter what tech they use a simple chemical poison in the tributary or a mortar in the floodgate will render it useless"

      There's a lot more risk to some entity committing an act in-person. Being able to do it from the other side of the world and at the same time coordinate a series of attacks induces more fear. There's also the aspect of the unseen enemy that can't be detected by a load of soldiers stationed around a water source or dam.

      1 0 Reply
  3. IceC0ld

    always thought this was the way to go TBH

    even if there is no fiscal reward, sometimes, just being allowed to get inside infrastructure WITH BLESSINGS is reward enough

    stop sniggering at the back ffs, serious talk going on here :o)

    but anyway, I also couldn't imagine this a few short years back, when EVERYONE with any interest in Cyber Sec was considered a threat

    but also, again, I know, so much vacillation going on :o)

    my mind going over the obvious issues this could give rise to, what if they find a multitude of issues, and give out the fix to MOST, but the ones that look to be 'interesting' are not notified, nor fixed.

    OR

    finds a vuln that isn't on the list, makes a note for future reference, as maybe not all who offer assistance should be trusted

    TL/DR

    whatever the out come, it HAS to be tried, but it also opens up a box that even Pandora would be jealous of :o)

    4 0 Reply
  4. DS999 Silver badge

    Surely those 50,000 water systems

    Aren't all bespoke, so finding a problem in one town's water system likely identifies that same problem in hundreds or thousands of others.

    The question is will to fix it. With voting machines there was finally political will to put some money behind securing the voting machines, something the infosec community had been screaming about until all the ridiculous shortcomings of Diebold hardware was identified in 2004. But since it was owned by a big republican donor, nothing was done despite the comparisons between "they don't do these sorts of things with their ATMs, why should it be OK in voting machines?"

    Unless the federal government makes some funding available for securing local water systems, many of them will decide "why would hackers target our little community of 15,000 in the middle of the nowhere, the people who live here don't want to see their water bill go up to pay for what is essentially insurance that provides no direct benefit to them". I certainly won't hold my breath for Trump's administration to care about this.

    7 0 Reply
    1. jokerscrowbar
      Reply Icon

      Re: Surely those 50,000 water systems

      Over a thousand separate IT systems running their own protocols and roughly 3% of them are still running windows 7 secured by whatever was pre-installed when they bought it. I’m only half joking.

      7 0 Reply
  5. hayzoos

    On The Internet

    Are all these 50,000 systems on the Internet? I think some may be so "antiquated" that they are not. Yet they are still able to supply water. They may have other problems, but cybersecurity would hardly need considered.

    Antiquated in quotes is because that is a viewpoint from some, and that is part of the problem. Modern does not require everything to be connected. If the only tool you have is a chainsaw, it doesn't mean you use it to hammer in screws.

    1 0 Reply
    1. MachDiamond Silver badge
      Reply Icon

      Re: On The Internet

      "Are all these 50,000 systems on the Internet? I think some may be so "antiquated" that they are not."

      The smallest ones won't be, but it's almost a guarantee that some executive wants instant access from his laptop/mobile or an accountant has worked out how much cheaper it would be to do things in a less secure way. In both examples, I highly doubt they'll solicit any input from IT other than an estimate on how long it will take to implement.

      0 0 Reply
  6. Guy de Loimbard Silver badge
    Meh

    In my experience, water companies tend to be incredibly reactionary and less visionary when it comes to Cyber Security.

    You only have to see the apathy applied to Sewage spills (Storm Overflows) in the UK industry, to realise something with that level of impact isn't being addressed to realise that's pretty much the approach to anything that could impact the bottom line!

    It will be dealt with when the regulator is at the gates threatening action.

    3 1 Reply
    1. MachDiamond Silver badge
      Reply Icon

      "It will be dealt with when the regulator is at the gates threatening action."

      Even in that case, it's often one government agency sanctioning another government agency. Who at those agencies is worried about that?

      2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like