Jake Braun is executive director of the Cyber Policy Initiative at the University of Chicago Harris School of Public Policy, co-founder of the DEF CON Franklin cybersecurity initiative and a former White House adviser on cybersecurity.
No matter what becomes of the Iran war ceasefire, another form of warfare waged by Tehran against the United States is almost certain to continue: cyberattacks on the water supply.
The U.S. Cybersecurity and Infrastructure Security Agency warned on Tuesday that last month a U.S. water facility was hit with more than 1,900 hacking attempts from around the world, with Iran the principal source of the attacks.
While these hacking attempts failed, the effort is not new. Adversaries are constantly looking for weaknesses to exploit in America’s infrastructure. Since water is so essential to daily life, these facilities are a favorite target.
In 2023, while serving in the Biden White House, I visited Pittsburgh shortly after the Municipal Water Authority of Aliquippa was hacked by an Iranian cyber group. Thankfully, that attack was quickly contained, and the water systems continued to function as normal.
The vulnerability of water infrastructure has become a recurring theme in the Iran war. Iranian Foreign Minister Abbas Araghchi recently accused the U.S. of striking a desalination plant on Qeshm Island, which he said had affected the water supply of 30 villages. Iran responded with drone strikes on a Bahraini water facility.
Cyberattacks on water infrastructure are more subtle but potentially just as destructive. Many U.S. water systems lack even the most basic cybersecurity protections that other critical industries consider standard. In Aliquippa, the system may have used a default or weak password. Hackers could have gotten in simply because no one had changed it.
The Iran conflict has heightened the risks. Tehran has spent years refining cyberattacks on critical infrastructure, disinformation campaigns, terrorist attacks and other hybrid threats designed to hit Americans at home.
Water systems are at the top of that list. The U.S. has about 150,000 water utilities, and the vast majority are small and under-resourced. Most have, at best, an operations manager who doubles as the IT person. Few — if any — have a dedicated cybersecurity team.
The artificial intelligence cybersecurity company Securin has identified 1,800 vulnerabilities in water and wastewater systems, with hundreds already weaponized and dozens actively exploited — including by state actors such as Iran, Russia and China. Federal reviews show that many systems fail basic cybersecurity requirements, leaving millions of Americans exposed.
Even more concerning are the water utilities supporting military installations and data centers. If you can turn off the water, you can turn off everything it supports.
The Trump administration recognizes this and calls for hardened defenses across critical infrastructure — including water — and for securing the AI technology stack itself.
But strategy alone is not enough. Action is needed.
I co-founded DEF CON Franklin to do precisely that. Named for Benjamin Franklin’s volunteer fire brigades, this initiative is mobilizing volunteer cybersecurity experts to defend vulnerable water systems by providing free support for basic things such as changing default passwords and enabling multifactor authentication.
We’re working with local providers, technology companies and partners like the National Rural Water Association to reach thousands more utilities — especially those supporting data centers, military installations and regional hospitals.
But volunteer firefighters can’t replace a professional fire department. Securing America’s water systems will ultimately require the same sustained federal investment that is made in energy and other critical infrastructure.
Iran has already targeted American water systems. It will do so again. The only question is whether all the default passwords will be changed before they strike.
The post U.S. water infrastructure is vulnerable to hacks. Iran knows it. appeared first on Washington Post.
