My hometown of Middletown, Ohio recently made local news after hackers disrupted the city’s water billing system and other services. The episode raised a timely question: how are cities becoming prime targets, and what can managed service providers (MSPs) and chief information security officers (CISOs) do to protect municipalities?
I spoke with Joshua Copeland, Director of Cybersecurity at Crescendo AI and Professor at Tulane University, about MSPs and municipalities. He’s blunt: “Municipalities aren’t hit because they’re interesting—they’re hit because they’re reachable, predictable, and unprepared.” The core remedy, he says, is simple: remove those three advantages from the attacker.
Five strategies that move the needle fast
- Assume compromise and build for recovery. Ransomware remains the dominant threat. Offsite, immutable backups, tested restore playbooks, and established RTO/RPO with business leaders are essential. Copeland notes, “If you can’t restore a critical system in a realistic timeframe, you’re not resilient—you’re lucky so far.”
- Harden identity and email first. Breaches start with phishing and weak identity controls. The prescription is clear—enforce MFA everywhere, tighten privileged access, and strengthen email defenses with URL and attachment inspection. Impersonation protection for mayors, council members, and finance staff should be a top priority.
- Segment like your job depends on it. Many municipal networks are flat, with city halls, public works, police, and OT systems sharing a single plane. Basic network segmentation, separate admin tiers, and strict firewall rules dramatically limit blast radius after an initial foothold.
- Patch within business reality, not fantasy. Municipal environments are full of legacy systems and specialized apps. MSPs and CISOs should prioritize patching based on exploitability metrics (e.g., EPSS, Known Exploited Vulnerabilities), focusing on systems with external exposure. When patching isn’t feasible, document accepted risk.
- Train people like they’re part of the security operations center. Clerks, finance, 911 dispatchers, and public works need concise, frequent, role-specific training. The aim is detection and rapid reporting, not shaming.
How the threat landscape has evolved
According to Copeland, who also serves as Deputy Commander of the Louisiana State Guard Cyber Reserve, the nature of attacks targeting municipalities has transformed dramatically in recent years:
- From opportunistic to commercialized targeting. Ransomware groups now target municipalities more strategically, recognizing the political and visible impact of downtime. This makes robust incident response crucial.
- Convergence of IT and OT risk. Smart-city systems—traffic controls, water and waste facilities, building management, and IoT sensors—are increasingly exposed. Misconfigured remote access and aging control systems raise the potential for physical disruption alongside data loss.
- Data theft and extortion, not just encryption. Modern ransomware often steals data before encrypting. Municipalities hold sensitive information (PII, law enforcement data, student records, infrastructure maps), making data exfiltration a serious risk even with backups.
The five biggest cyber dangers
When asked to identify the major dangers municipalities face, Copeland groups them into five critical categories:
- Ransomware and business email compromise. Ransomware disrupts operations, while BEC drains funds through invoice fraud, payroll diversion, and fraudulent transfers—often underreported.
- Legacy systems that can’t be patched or replaced. Long-lived court systems, tax apps, permitting, and 911 dispatch can’t always be Internet-facing or easily updated. They require compensating controls like segmentation and strict access limits.
- Flat networks and shared credentials. Flat networks and shared admin accounts enable easy lateral movement once attackers gain a foothold.
- Third-party and MSP risk. Municipalities rely on vendors for many services. A compromised partner can lead to indirect municipal breach, so vendor access must be treated with the same rigor as internal access.
- Security debt across IT/OT. Aging infrastructure and outdated security controls create persistent risk across both information technology and operational technology.
Cities are prime targets because they are reachable, predictable, and often unprepared, making them attractive to attackers. MSPs and CISOs can protect municipalities by adopting a posture of assuming compromise, hardening identities, segmenting networks, prioritizing strategic patching, and training teams to detect and report incidents quickly.
Photo: TierneyMJ / Shutterstock
This post originally appeared on Smarter MSP.
