When the Pipes Stop, Everything Else Follows
Behind closed doors, a group of insurance industry professionals gathered recently to run through a scenario most Americans assume belongs to fiction: China’s Volt Typhoon hacker group successfully attacks the United States water supply. What unfolded during that simulation was not a tidy policy exercise. It was, by the accounts of those present, a cascade of failures so interconnected that containing any single part of the damage made stopping the rest nearly impossible.
The exercise surfaced two of the most visceral outcomes imaginable from a cyberattack on civilian infrastructure – burst water mains flooding streets and hospitals forced to evacuate patients. Those aren’t abstract projections. They were the simulated conclusions that a room full of risk professionals, people whose entire profession is calculating worst-case exposure, walked away trying to price.

Volt Typhoon and the Infrastructure It Already Occupies
Volt Typhoon is not a hypothetical threat constructed for war games. It is a Chinese state-sponsored hacking group that U.S. federal agencies have publicly attributed to the People’s Republic of China, one that has already been documented inside American critical infrastructure networks – not stealing data, but sitting quietly, maintaining access. That distinction matters enormously. A group optimized for espionage exfiltrates information. A group positioned the way Volt Typhoon has been positioned is waiting for a different kind of order.
Water systems in the United States present a specific kind of vulnerability that makes them attractive targets and difficult to defend simultaneously. Most municipal water utilities operate on aging industrial control systems, many of which were designed before network connectivity was standard, then connected to networks anyway. Budget constraints at the local government level mean security updates that would be automatic in a corporate environment get deferred for years. The attack surface is broad, the defenders are underfunded, and the consequences of disruption run directly into public health.
The simulation placed insurers at the center of the response scenario deliberately. Insurance is where financial exposure to catastrophic risk gets quantified, and water infrastructure attacks sit in a coverage gray zone that the industry has not resolved. When a hurricane destroys a water treatment facility, the damage pathway is physical and the policy language, however contested, exists. When a nation-state hacker causes a utility’s control systems to behave destructively, the questions multiply fast – is this a cyberattack, an act of war, or both, and does the distinction change who pays?
What the Simulation Actually Produced
Burst water mains don’t just flood streets. They drop pressure throughout a distribution system, which means firefighters lose access to hydrants at the exact moment that electrical faults from the same attack might be starting fires. Hospitals that evacuated in the simulation did so because without reliable water, sterile conditions in surgical suites cannot be maintained. That forces patient transfers, which strains every receiving facility in range, which then affects trauma response capacity for anyone injured in the broader chaos the original attack generated.
The compounding effect is what the war game appears to have stressed most. No single failure in the simulation stayed isolated. Each disruption created conditions that made adjacent systems harder to operate, and the insurers running the exercise found themselves mapping a liability web that didn’t resolve cleanly into existing product categories.

The Coverage Gap Nobody Has Solved
War exclusions in insurance policies have existed for as long as insurance has covered wartime losses, but they were written for conflicts between armies, not for operations where attribution takes months and physical damage is caused by software commands. Volt Typhoon’s model of pre-positioning inside networks specifically complicates the question of when an attack begins – and therefore when coverage would or wouldn’t apply.
The insurance industry’s interest in running this kind of simulation reflects something the sector has been grappling with since NotPetya in 2017, when what appeared to be ransomware turned out to be a Russian state operation, and carriers found themselves facing massive claims on policies that had war exclusions they had never expected to invoke against a cyberattack. NotPetya cost insurers billions. A successful Volt Typhoon operation against water infrastructure in multiple American cities simultaneously would generate losses at a scale that would make NotPetya look like a contained incident.
Critical infrastructure protection in the United States is divided across federal agencies, state regulators, and private operators in a way that produces consistent gaps at the handoff points. The Environmental Protection Agency has authority over drinking water safety. The Cybersecurity and Infrastructure Security Agency handles cyber threat coordination. Local utilities answer to municipal governments with their own budget priorities. When the simulation’s scenario unfolded, those jurisdictional lines became friction points rather than coordination mechanisms – each entity waiting to confirm the scope of its role before acting.
Water is also politically invisible until it fails. Residents interact with it by turning on a tap; the infrastructure that makes that possible sits underground and inside utility buildings that most people never think about. That invisibility has made sustained investment in security harder to justify to local budget committees than it would be for, say, airport security, where the consequences of failure appear immediately on the news. The war game made the invisible visible – at least to the room of professionals running it.

What a Closed Room Knows That the Public Doesn’t
Simulations like this one are run under conditions that allow participants to speak and strategize without their conclusions becoming immediate public statements. That structure exists for legitimate reasons – frank assessment of worst-case scenarios requires some separation from the political pressure to appear in control. But it also means that the most detailed, specific thinking about how badly a Volt Typhoon water attack could go is concentrated inside closed rooms, while the public water supply those rooms are theorizing about remains in the hands of utilities that may not have attended the exercise.
The hospitals that evacuated in the simulation were not named. The cities whose water mains burst were not identified. The financial exposure figures the insurers calculated stayed inside the room. What came out was a description of what the exercise revealed: a nightmare scenario, in the words of those present, where the connective tissue between water, health, fire suppression, and civil order pulled apart faster than any coordinated response could stitch it back together.
Whether Volt Typhoon ever executes what it appears to have positioned itself to execute depends on decisions made in Beijing, not Washington. The group is already inside some of the networks. The question the simulation was really asking – the one the insurers left the room still holding – is not whether the attack is technically possible. It is whether the systems designed to respond are capable of handling what comes after the first pipe breaks.








