JUANA SUMMERS, HOST:
The U.S. Environmental Protection Agency recently sounded the alarm about an increase in malicious cyberattacks targeting American water systems. As hackers from nation-states and criminal gangs alike cause chaos, make money and even prepare for potential future conflicts with the United States, NPR cybersecurity correspondent Jenna McLaughlin traveled to a small New England town to learn more about how water operators are defending their systems from digital attacks.
JENNA MCLAUGHLIN, BYLINE: It's late summer in southern Vermont, and Buttermilk Creek (ph) in Ludlow is cascading into three gushing waterfalls.
(SOUNDBITE OF RUSHING WATER)
MCLAUGHLIN: Meanwhile, Chris Hughes is trying to figure out why there's water gushing where it shouldn't.
CHRIS HUGHES: Well, this is fun. Hang on a minute.
MCLAUGHLIN: We're at the water treatment plant Hughes helps run. He makes a call to his boss.
HUGHES: Hey, we got a problem with the water plant.
MCLAUGHLIN: Hughes is the assistant operator here. It's just two people treating all the drinking and wastewater in the small towns of Cavendish and Proctorsville.
HUGHES: System's shut off, and the water's pouring out of the clear well outside.
MCLAUGHLIN: Turns out, a lightning strike shut off power to one of the systems. Speaking outside earlier that day, while the storm that likely hit the plant passed through the area, Hughes said the work is never boring.
HUGHES: I haven't had a lot of jobs, but it is by far the most interesting job that I've ever had. And so you have to like it. You have to kind of care.
MCLAUGHLIN: Hughes has dealt with all kinds of problems, from lightning strikes to hunting down missing manhole covers in dense, tall grass or raking so-called flushable wipes out of sewer pipes. But now Hughes is learning about a new threat on the horizon - hackers.
HUGHES: It's kind of scary that I'm the only door between, you know, the Iranians and our water system. You know, it's - it kind of makes me a little nervous. I don't really have the background to be fending off foreign entities, you know?
MCLAUGHLIN: Hughes isn't exaggerating. The threat is real. Last October, criminal hackers targeted American Water, the largest publicly traded water and wastewater utility company in the United States. Then that January, Russian hackers took credit for making a water system overflow in Muleshoe, Texas. Meanwhile, the White House has been cutting federal funding for many cybersecurity programs. But there's good news. There's a team assembling here in Vermont to help Hughes out.
FOREST ANDERSON: I grew up in Berkshire, Vermont. My town doesn't have a high school.
MCLAUGHLIN: Meet Forest Anderson, another local water operator. Carrying a ukulele case full of gadgets, he's also a self-proclaimed tech nerd. That's part of how he recently got a job as a cybersecurity system specialist for the nonprofit Vermont Rural Water Association. As we ducked out of the rain, he mentioned another hacking group that he's worried about.
ANDERSON: If you aren't familiar with Volt Typhoon, it's going on right now. Volt Typhoon is in New England.
MCLAUGHLIN: Volt Typhoon - he's referring to a Chinese hacking group U.S. national security officials say has been burrowing into U.S. critical infrastructure, lying in wait to shut off water systems and spread fear in the event of a conflict, like if China wanted to invade Taiwan.
ANDERSON: So I don't scare people. I give people the facts. And the fact is, is that they're here. And if we were to lose our supply of semiconductors on top of our manufacturing, our power and our water, we would not stand a chance against any conflict.
MCLAUGHLIN: Also joining us was Tim Pappa, a former FBI agent who now works in cybersecurity in the corporate world.
TIM PAPPA: You kind of mixed people you didn't expect to be mixed together (laughter). I don't know if Chris and I would've met ordinarily, but we have, and we have different backgrounds and different perspectives on things.
MCLAUGHLIN: He's here thanks to a new volunteer effort called Project Franklin (ph), put together by heavy hitters in the cyberspace, from the well-known DEF CON Hacking Conference to the University of Chicago. Cavendish might be small, but it's nestled up alongside glitzy ski resorts, major defense contractors. It's part of the critical infrastructure of New England. Anderson and Hughes both remember Hurricane Irene back in 2011, how the flooding damaged everything, even led to the deaths of a father-son water operator team in nearby Rutland and how the towns came together to help each other rebuild.
ANDERSON: Especially after the flooding, we realized that there's no cavalry. We are the cavalry. We are.
HUGHES: That goes back to that New England Yankee ingenuity. We'll do it ourselves.
MCLAUGHLIN: New England ingenuity and some good tech hygiene. I watch as Anderson, Hughes and Pappa put some basics in place to set Cavendish up for success, no matter what's coming their way.
ANDERSON: I have something pulled up for you to check out later, some event logs and security.
MCLAUGHLIN: They cover up the Wi-Fi password, install network monitoring tools, a virtual private network and system backups.
ANDERSON: If you see a failed login attempt and then a successful login attempt, and then they take a data packet, a file or a folder, you can assume that it was malicious.
MCLAUGHLIN: It's a big step in the right direction of making Cavendish a smaller target for bad guys. To explain, Anderson has the perfect Vermont metaphor.
ANDERSON: I say, right now is hunting season. We are the six-point buck in the field. We're just hanging out in the fields. Right now, we need to get in the woods 'cause it's a lot harder to hit a target in the woods.
MCLAUGHLIN: Going forward, it might indeed be harder for hackers to hit their mark here amongst the sugar maples of Vermont.
Jenna McLaughlin, NPR News. Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
