Cyber volunteer effort for small water utilities announces new MSSP effort

An initiative designed to help protect water utilities from cyberattacks announced a new phase this week as it seeks to expand coverage across the U.S.

DEF CON Franklin co-founder Jake Braun said the organization is now looking to develop a first-of-its-kind managed security service provider (MSSP) model tailored specifically for rural water utilities.

Braun helped create DEF CON Franklin after serving as a senior cybersecurity official in the Biden administration. The initiative paired white-hat hackers with several rural water utilities in Arizona, Idaho, Indiana, Oregon, Utah and Vermont — providing the organizations with cybersecurity expertise to protect them from increasingly belligerent cybercriminals and nation-state groups. 

In an interview on Tuesday, Braun told Recorded Future News that while they saw success with the volunteer model, it became difficult to scale it up to help the more than 50,000 water utilities in need of assistance. 

The goal, he explained, is to design a shared, affordable and scalable MSSP framework that reflects the operational realities of small and rural utilities and provides continuous cybersecurity protection over the long term.

MSSPs typically provide cybersecurity services that include threat detection, incident response and more. They help organize firewalls, patch vulnerabilities, secure cloud environments and offer threat intelligence. 

According to Braun, the MSSP effort will start with threat detection and monitoring before adding incident response, compliance support and more services.

Braun said DEF CON Franklin has been working with the National Rural Water Association (NRWA) to put together the MSSP program and noted that NRWA already provides technical assistance to thousands of utilities around the country.

“With their help we can achieve scale with security. Essentially, we will build out a series of smaller regional MSSPs reporting up to an organization within the National Rural Water Association — what we’re calling the Water Watch Center — and then over time, those regional MSSPs reporting up to the big one would cover the whole country,” he said.

“Any water utility could be connected to it and receive free MSSP security services.” 

They have started to bring in experts with experience setting up and managing MSSPs including well-known cybersecurity expert Tara Wheeler. Wheeler has been hired full time to assist in the effort — which is being funded in part by Craigslist founder Craig Newmark. 

Braun said Wheeler has relationships with a lot of the current MSSPs on the market and is helping to bring in people who are willing to help.

“Unfortunately, rural American water utilities are drowning in outdated cybersecurity and technology needs,” Wheeler said. “They are targeted every day by foreign attackers and computer criminals. It will be an honor to serve and protect them.”

A recent study by the Environmental Protection Agency found that more than 70% of water systems inspected in a 2024 review failed to meet basic cybersecurity standards. Efforts by local and federal governments have been stymied by industry groups concerned about raising water utility prices. 

Iranian and Chinese groups have been seen targeting water utilities over the last two years, endangering drinking water and other critical utility services. 

DEF CON Franklin is run through University of Chicago's Harris Cyber Policy Initiative, where Braun is executive director, and Wheeler will now serve as a senior fellow and board member. The initiative is also heavily centered around the DEF CON cybersecurity conference, with many attendees serving as volunteers in the effort.

“Franklin proved that the cybersecurity community is willing and able to show up for the most under-resourced parts of our critical infrastructure,” Braun said. 

“The next challenge is sustainability. Tarah Wheeler brings exactly the technical depth, governance expertise, and real-world perspective needed to build a managed security model that actually works for water operators on the ground.”