In Washington, D.C. this summer, ICS Village, the Institute for Security and Technology (IST), Crowell & Moring LLP, and the National Security Institute hosted Critical Effect, the 8th annual industrial control systems security conference. The next evolution of Hack the Capitol, the conference featured two days of critical infrastructure-focused panels, talks, and deep dives across three tracks that connected policymakers, members of civil society and academia, and OT/ICS stakeholders.
This year’s conference drove themes core to UnDisruptable27, IST’s effort to drive resilience for local critical infrastructure systems at the intersection of water and access to emergency care. To emphasize the urgency needed and to zero in on what can be done, Critical Effect DC ‘25 prioritized timely, solution-driven content with a sense of urgency, focusing on initiatives that can be implemented in the next two years.
With this mission in mind, members of Congress, emergency management, top tier media, stakeholders from water, emergency healthcare, power, food supply, national security experts, and more convened at Crowell & Moring’s D.C. office over June 14 and 15 for a conference filled with insightful analysis, probing questions, interactive escape rooms, a smattering of unicorns, and even a few emotional support sharks passed out during Beau Woods’ Cyber Policy Shark Tank.
Couldn’t join us in DC? Read some of the top takeaways from the event, and stream the full conference on ICS Village’s YouTube.
1. No Water, No Hospitals: Emergency Response Under Fire
China’s 2027 intentions toward Taiwan are fast approaching, and water and wastewater systems across the United States are in the crosshairs. Volt Typhoon’s credible threat of disruption and destruction to water infrastructure poses immediate risks to public safety, human life, and national security. IST Executive in Residence for Public Safety & Resilience Joshua Corman sat down with cross-sector experts International Committee of the Red Cross (ICRC) Deputy Legal Head Jonathan Horowitz, American Water Works Association (AWWA) Federal Relations Manager Kevin Morely, Coconino County Health and Human Services Senior Public Health Emergency Preparedness Planner Blake Scott, and WaterISAC Director of Infrastructure Cyber Defense Jennifer Lyn Walker to surface and test assumptions regarding cross-sector, cascading failures and to discuss some of the findings and recommendations from UnDisruptable27.
“I want you to picture your hospital…when was the last time you were at this hospital?” Josh asked the audience. “Was it to welcome a newborn into the world? Say goodbye to a friend? Did you take a loved one to the emergency room? Did you get the care you needed, when you needed it? Now, I want you to imagine that hospital again, and I want you to imagine that hospital is not available to you. Where would you go instead? [The CISA Covid Task Force] proved that delayed and degraded access to care had worsened outcomes and elevated mortality rates for heart, brain and pulmonary [events]. This is personal, and those disruptions are irrespective of cause. It could be a ransom attack. It could be a power outage. It could be a water disruption at scale. You’re thinking about where you would go if your hospital was down, but what if they too are down?”
2. Practicing for Disaster: MITRE’s Multi-Sector CyberSecurity Exercise
MITRE recently hosted a groundbreaking exercise bringing together approximately 200 participants from 70 organizations across five metro areas, including federal, state, and local governments, emergency managers, and industry representatives from sectors like pipelines, electricity, IT, communications, and rail. The exercise focused on enhancing national resilience during a protracted cyber conflict affecting multiple critical infrastructures. In this panel, MITRE Cyber Infrastructure Protection Innovation Center Director Mark Bristow sat with exercise attendees Xcel Energy AVP Sharla Artz, Worcester, MA Emergency Communications & Management Commissioner Charles R. Goodwin, New York Metropolitan Transit Authority CISO Tariq Habib, and Berkshire Hathaway Energy Senior Advisor Robert Morgus to discuss outcomes and insights gleaned.
“Volt Typhoon is not killing people every day, but that’s what they mean to do,” Mark explained, “So if we’re not looking at this as [more than] a cyber problem..we’re not addressing the whole challenge. Because at some point it stops being a computer problem and starts being a humanitarian problem.”
3. Conveying the Looming Threat of Critical Infrastructure Hacking
The idea that malicious hackers could cause blackouts, water contamination, food shortages, or healthcare disruptions from their keyboards has gone from a sobering hypothetical to an urgent reality in recent years. With so many news topics competing for public attention, though, how should journalists approach coverage of potentially calamitous digital and cyber physical threats? In our annual press panel, WIRED Senior Writer Lily Hay Newman sat down with IST’s Joshua Corman, WIRED Senior Writer Andy Greenberg, and CyberScoop Reporter Derek Johnson to discuss.
“There was more data destroying malware deployed in the first year of the war in Ukraine than we’ve ever seen anywhere,” Andy said. “It’s just that it, rightfully, doesn’t take the headlines when there are physical bombs dropping on people.”
4. What’s the worst that could happen? Cyber Consequence Analysis for Critical Infrastructure
Often, the professionals charged to protect critical infrastructure from cyber attack aren’t well versed in the operational impacts which could result from such an attack. Without that understanding, the defensive strategy for cybersecurity of these critical functions lacks operational context, meaning that key defenses and defenders may be overlooked. In this talk, Idaho National Laboratory Program Manager Virginia Wright briefed attendees on critical insights and questions that can be asked to unlock this awareness and transform cybersecurity plans into critical function assurance plans.
“We are protecting networks that depend upon safety, reliability and performance with tools that were originally designed to protect confidentiality, availability and integrity,” Virginia said. “And you can see, like anything in life, when you use a tool that was designed for one purpose to perform a different purpose, there are going to be gaps in its effectiveness.”
5. Securing America’s Water Systems: Engineering-Based Approaches to Cyber Resilience
Most community water systems in the United States operate with limited funds and minimal technical expertise as they work to implement, maintain, and effectively utilize complex cybersecurity solutions. However, these same utilities typically have access to internal and external resources who could provide a deep understanding of water process engineering. In this talk, I&C Secure President Gus Serino examined the critical interdependence between U.S. drinking water systems and vital services and outlined practical, engineering-focused approaches to achieve cyber resilience.
“We do cybersecurity in critical infrastructure not just to do cybersecurity,” Gus said. “We do it to protect and and add resilience to the fundamental mission, and that is maintaining pressure with sufficient volume of treated potable water.”
6. Military Mobility Depends on Secure Critical Infrastructure
A direct military engagement between the United States and a near-peer adversary would require the swift mobilization and deployment of a sizable U.S. military force, as moving troops and equipment efficiently over land, sea, and air is essential to America’s ability to project power, support partners and allies, and sustain forces to fight and win wars. A significant, rapid mobilization would require civilian-owned rail networks, commercial ports, and airport authorities to handle transportation for the majority of servicemembers and materials. In this talk, Foundation for Defense of Democracies Center on Cyber and Technology Innovation Senior Director Mark Montgomery presented his case for why he believes our critical infrastructure systems are ill-equipped to handle a crisis, and his recommendations to Congress.
“You need to pass the laws and provide the money now, and there’s a small chance you’ll be ready,” Mark said. “[Military mobility] is underpinned by water. It’s underpinned by power. It’s underpinned by a healthcare system that works. All those other things have to work.”
