We are too dependent on undependable things. There is a promise and a peril to connected technologies, and our dependence on connected technologies has been growing faster than our ability to protect it. As we are seeing increased disruptions to our most vital lifeline needs – water, emergency services, food, and power – how can we turn the tide?
IST’s UnDisruptable27 initiative, led by Executive in Residence for Public Safety & Resilience Josh Corman and initially supported in 2024 by seed funding from Craig Newmark Philanthropies, seeks to inform, influence, and inspire community action to strengthen the safety and security of our lifeline critical infrastructure systems by 2027. By taking a community-first approach and connecting directly with local infrastructure owners and operators, UnDisruptable27 hopes to build resilience into our systems before attackers like Volt Typhoon bring a hybrid conflict to our doors.
This June, ICS Village, in partnership with IST, Crowell LLP, the National Security Institute, and the Wilson Center will present Critical Effect DC, the eighth edition of D.C.’s annual industrial control systems (ICS) security conference. Formerly known as Hack the Plant, Critical Effect DC provides a unique platform for policymakers, think tanks, and the media to engage with leading voices in ICS and cybersecurity. This year, the conference adopts UnDisruptable27’s call to action and will prioritize timely, solution-driven content that tackles cross-sector critical infrastructure security and resilience challenges with a sense of urgency.
In this month’s edition of the TechnologIST, we sat down with Josh to learn more about UnDisruptable’s goals, possible solutions, and the risks to our communities if we do not fortify our critical sectors in time.
UnDisruptable27 aims to build safety, security, and resilience into our communities’ lifeline critical sectors. What do you mean when you say “lifeline” sectors?
“Think of this as stuff that humans need to survive, in the immediate sense. Most people have heard of the notion of critical infrastructure. Unlike many of our allies, the United States delegates public goods to be owned and operated by the private sector.
In 2013, the Obama administration issued Presidential Policy Directive 21, which identified 16 sectors as “critical infrastructure.” These included things like financial services, healthcare, public health, and water and wastewater. But when everything’s critical, nothing’s critical.
So of those, CISA identified National Critical Functions that are more discrete and more like a lifeline utility. These provide drinking water, electricity, medical care, and maintain access to our medical records. So you can look at “lifeline” sectors as a service or function that should be running all the time and then could be disrupted for some amount of time, to some degree. These are the critical functions that, if disrupted for 24 or 48 hours, could affect public safety and human life.
All the sectors matter, but they have different life implications and public safety implications.”
You recently joined Bryson Bort for an episode of the IST/ICS Village-produced podcast, Hack the Plant, to discuss UnDisruptable27 and the growing threats to our infrastructure systems. On the podcast, something you said stood out to me: “part of the reason we are defending indefensible things is our incentives have never been properly placed.” What do the proper incentives look like, to you?
“From my perspective, we have seen market failures in software, infrastructure technology, and operational technology. The problem is three-fold.
First, there is a complete lack of liability for technology developers. We had the first losses of life from software failures over 30 years ago, but as software was a competitive international market – like AI is today – there was a conscious decision to delay the issue of liability. But what was meant to be a short moratorium has remained in place, leaving developers unaccountable.
The second problem we have is information asymmetry. In theory, supply and demand take care of themselves. You have an informed public, constituting the demand, who are able to choose among sufficient supply. They buy the products that best meet their needs. But with the increasing complexity of software, IT, and OT, it’s very difficult to know what we’re buying. This is why I push for things like labeling, or SBOMs (Software Bill of Materials), or attestations about the software being patchable, or having disclosure programs. We need policies that can build the confidence of the buyer, even if they don’t understand underlying technology.
And then third, we have rarer and more challenging market failures; sometimes what’s right for the company and the shareholders is wrong for the country. The Colonial Pipeline hack is a good example of this – they shut down operations, not because the pipelines were hacked, but because the business office was hacked. What was good for their shareholders was panic-inducing for the Eastern Seaboard.
This all stems from a general lack of accountability that allows those who produce digital infrastructure to pass large amounts of unspecified risk downstream to the ecosystem, making it far more challenging to protect. We need public policy that will ensure that we maintain the trust and safety of the public, not just the sovereignty of private organizations.”
In June 2025, IST is partnering with ICS Village to host Critical Effect DC. How has UnDisruptable27’s mission impacted the theme of #CriticalEffect25?
“ICS Village has run Hack the Capitol, now Critical Effect DC, for seven years, and done an incredible job of bringing together Operational Technology (OT) and Industrial Control Systems (ICS) practitioners and public policymakers. I’ve joined both as a speaker and attendee, and Bryson and I have collaborated on several different projects.
I approached Bryson and the team at ICS Village and proposed, instead of just focusing on what we need to do for the next five or ten years, what is the art of the possible in the next one or two? How can we add urgency, impact, and effect? So we’ve included more focus on this immediate need, and the possible consequences of disruption and destruction on these lifeline sectors.
We already had a good start with the communities we touched, but this year we wanted to drive much more attention towards water, power, and emergency care. We want to reach past everyone who is already at the table, and look to the 85% of owners and operators who don’t yet participate in public-private partnerships, aren’t members of an ISAC, and haven’t come to DC for conferences.
We want this to be a call to meet the moment. I encourage every speaker to really turn up the heat on what could be done now, what could have the highest impact, how can we lean in harder than we could have without these partnerships?”
If you haven’t already, make sure you visit our website, register to join us in DC this June, and submit your proposal to present at Critical Effect DC by April 4.
What are the risks to you and me if we are not able to prepare our critical infrastructure before 2027?
“Recently, we’ve seen nation-state adversaries consider cyber offensive attacks as weapons of war in modern hybrid conflict. A lot of these attacks are scooping up any vulnerable, exposed equipment as a potential asset to be used indiscriminately. And sadly, most of our infrastructure is target-rich, but cyber-poor. Volt Typhoon is the most troubling example to me, but we’ve also seen two other groups attack water infrastructure located in Pennsylvania and Texas in the last year.
So we know that more than one country that we could have a hybrid conflict with has shown an interest and ability to access our basic water systems. What does that mean for our communities?
The most devastating scenario is, a water facility controlled by a group like Volt Typhoon executes a water hammer, a phenomenon in which a sudden pressure surge can overwhelm the pump system and cause significant disruption to water flow, and even burst pipes and damage property. Six thousand of our communities house hospitals, and attackers could target these areas of our cities to eliminate water flow to all an area’s healthcare facilities.
Hospitals are equipped with diesel generators and can go quite a bit of time without power, but they cannot continue to operate for more than four to six hours without water.
Were this to happen across enough communities, we may not have the repair technicians or replacement parts to fix them even that quickly. Delaying or degrading urgent care for even a few minutes can affect outcomes for our family members, our communities, and entire regions. This could be devastating.
As to the likelihood of this kind of event, former FBI director Christopher Wray warned in 2024 that the Chinese Communist Party could feasibly carry out large-scale, disruptive attacks to our lifeline critical infrastructure. If we interfere with CCP intentions in Taiwan, for example, they could wreak havoc on our critical infrastructure. We expect to have to interfere, therefore, we should prepare for the worst.
More than that, as I said, we have seen successful compromises of our water systems by other nation state adversaries. If it’s not the PRC and Volt Typhoon, it will be someone else. Our lifeline infrastructures are exposed to any adversary, at any time, for any motive.”