The Small Utility Paradox: Why the Least-Resourced Water Systems Face the Greatest Threats

When the FBI called Nick Lawler on a Friday afternoon before Thanksgiving 2023 to inform him that Chinese state-sponsored hackers had compromised his utility's network, his first instinct was disbelief. The Littleton Electric Light and Water Department serves approximately 15,000 people in two Massachusetts towns. "You would never think that would be a target of any type of attack," Lawler later told reporters.

He was wrong. The hackers, linked to China's Volt Typhoon campaign, had been inside his systems for over 300 days, quietly collecting operational data about grid layouts and control system procedures. The Littleton breach exposed a troubling reality that cybersecurity experts have been warning about for years: small utilities are not too small to target. They are, in fact, ideal targets precisely because they lack the resources to defend themselves.

“Target Rich, but Cyber Poor”

Cybersecurity expert Josh Corman captured the dilemma facing small water utilities in a phrase that has become an industry mantra: "target rich but cyber poor." The United States has roughly 50,000 community drinking water systems and about 16,000 publicly owned wastewater systems, the vast majority serving small communities. These systems manage critical infrastructure but often operate with minimal budgets, skeleton crews, and no dedicated cybersecurity personnel.

The numbers are stark. According to the National Rural Water Association, only 20 percent of water and wastewater systems across the country have even basic levels of cyber protection. The 2024 US Government Accountability Office report on water sector cybersecurity identified workforce skills gaps and older technologies as persistent challenges, noting that utilities prioritize funding for regulatory compliance over cybersecurity because improving cyber defenses remains largely voluntary (something that is quickly changing these days).

For threat actors, this creates an asymmetric opportunity. Nation-state groups like Volt Typhoon, CyberAv3ngers, and pro-Russian hacktivists are not selecting targets based on the immediate impact of disrupting service. They are probing for weaknesses, mapping infrastructure, and pre-positioning for potential future conflicts. A small utility with an unpatched firewall is just as valuable for reconnaissance as a major metropolitan system, and far easier to compromise.

The Resource Gap in Practice

The Littleton case illustrates how resource constraints translate into security failures. The utility's managed services provider had not updated a FortiGate firewall since December 2022, leaving a known vulnerability exposed for nearly a year before Volt Typhoon exploited it. Littleton has since fired that MSP, but the incident reveals a pattern common across the sector: small utilities depend on external vendors for technical support and often lack the expertise to verify whether those vendors are maintaining adequate security.

EPA inspections have documented similar patterns nationwide.

Over 70 percent of water systems inspected since September 2023 failed to comply with basic cybersecurity requirements. Inspectors found utilities still using default passwords, sharing single login credentials among all staff, and maintaining access for former employees. These are not sophisticated vulnerabilities requiring expensive solutions. They are basic hygiene failures that persist because utilities lack the staff, time, and expertise to address them.

The fragmentation of the water sector compounds the problem. Unlike the energy sector, which has consolidated into large regional utilities subject to mandatory cybersecurity standards under NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection), water remains highly decentralized. Most providers serve small towns, operate independently, and may not face enforceable federal cybersecurity requirements. 

Free Resources Most Utilities Are Not Using for Assessment (not solution)

The paradox is that substantial free resources exist for utilities willing to seek them out. CISA offers free vulnerability assessments and penetration testing. EPA's Water Sector Cybersecurity Evaluation Program provides third-party assessments at no cost. WaterISAC delivers sector-specific threat intelligence and security advisories. The State and Local Cybersecurity Grant Program, temporarily extended through January 2026, provides funding that many states direct toward water utility assistance.

Yet adoption remains limited. As EPA's Cole Dutton noted in an October 2025 webinar, many utilities remain unaware that their control systems are visible on the open internet. The challenge, Dutton explained, is not just information but motivation and enablement. Utilities struggling with daily operational demands, aging infrastructure, and tight budgets often cannot prioritize threats that feel abstract until they become immediate.

The "Standard" Playbook (And Why It Falls Short)

Most experts point small utilities toward the same set of manual steps. The advice is technically sound. The problem is that it assumes resources most small utilities simply do not have and it does not provide the long term cyber resilience required:

• Manual Credential Management: Changing default passwords and eliminating shared logins across every operator account.

• Asset Discovery: Working with CISA or state programs to identify systems accidentally exposed to the open internet.

• Vendor Vetting: Using procurement checklists to verify that third-party managed service providers are actually delivering what they promised.

• Manual Workarounds: Developing and rehearsing procedures to run the plant by hand if digital systems go offline.

These steps share a common flaw: they are static. Sophisticated threat actors spend months quietly mapping industrial networks, learning layouts, identifying dependencies, and waiting. Against that kind of patience, a one-time password change is not a security strategy. It is a gesture.

The RubyComm Approach: Built for the Reality Small Utilities Face

RubyComm developed Rubyk-OT specifically for the "target rich, cyber poor" dilemma, the gap between the threats small utilities face and the resources they can realistically deploy against them. We do not ask operators to become cybersecurity experts overnight. We built a system that does not require them to.

What Rubyk-OT Delivers:

• OT-Native Architecture: Generic IT security tools were not designed for industrial environments and can actively interfere with sensitive operational controls. Rubyk-OT is purpose-built for the constraints of critical infrastructure (e.g. water, energy, manufacturing) where uptime is non-negotiable.

• Legacy System Integration: Most small utilities run older technology that modern security software cannot reach. Rubyk-OT wraps around existing infrastructure, delivering protection without requiring a hardware overhaul or a system replacement budget.

• Zero Operational Disruption: Security that takes your systems offline to protect them defeats its own purpose. Rubyk-OT is deployed passively alongside your existing infrastructure, with no impact on live processes, no configuration changes to operational devices, and no scheduled downtime. Protection begins without your operators noticing a difference, which is exactly the point.

• Process-Aware Threat Response: When a threat is detected, Rubyk-OT is designed to protect the operational process itself, not just the data sitting behind it. Keeping the water flowing is the mission. Our system reflects that.

• No In-House Security Team Required: Rubyk-OT is designed to be operated by the people already running your facility. We manage the complexity. Your operators stay focused on the work that matters.

Small utilities should not have to choose between operational continuity and meaningful cybersecurity. Rubyk-OT closes that gap without the budget of a metropolitan system and without adding in-house cyber experts you do not have.

The Stakes Beyond Compliance

The consequences of inaction extend beyond regulatory penalties. A successful cyberattack on water infrastructure could disrupt service, damage equipment, or in the worst case, compromise water quality, potentially leading to physical harm to humans. 

Wastewater treatment facilities face additional risks. A successful attack could disable treatment processes, resulting in the release of untreated sewage into waterways. For threat actors seeking to create environmental damage or public health crises, these systems present attractive targets with consequences that extend far beyond the utility itself.

For small utilities, the reputational and operational impacts of a breach can be existential. Littleton was fortunate that Volt Typhoon was conducting reconnaissance rather than destructive operations, and that the utility had already begun working with Dragos when the breach was discovered. Other utilities may not be so lucky.

The mathematics of vulnerability are daunting. With 150,000 water facilities across the United States, each representing a potential entry point for adversaries, waiting for every utility to independently develop cybersecurity expertise is not a viable strategy. But neither is resignation. The attacks are happening now. The tools and resources to defend against them exist. The question is whether utilities will use them before they become the next case study in a threat intelligence briefing.

About RubyComm:

RubyComm delivers tailored operational technology cybersecurity solutions designed specifically for the unique challenges of industrial and critical infrastructure environments faced by organizations of all sizes. Unlike one-size-fits-all security products, RubyComm addresses the specific operational constraints, legacy system challenges, and complex integration requirements that conventional off-the-shelf solutions usually do not address. Our approach maintains operational efficiency and business continuity while providing comprehensive protection against sophisticated OT-specific threats without the need for an inhouse team of cyber security specialists.

Sources: Dragos Case Study: Volt Typhoon and Littleton Electric Light and Water Departments (March 2025); GAO Report GAO-24-106744: Critical Infrastructure Protection (August 2024); EPA Office of Inspector General Report 25-N-0004 (November 2024); Federal News Network; The Register; American Public Power Association; Industrial Cyber; National Rural Water Association.