The reach of cyber hackers, whether foreign or domestic, can’t be underestimated.
The city of Lowell witnessed that firsthand in April 2023, when many of its City Hall computer systems fell prey to a significant ransomware attack claimed by the criminal group Play, in which they reportedly lifted “private and personal confidential data, finances, taxes, clients and employee information.”
Of course, these digital thieves were looking for a handsome payday, the details of which were never publicly disclosed.
Hackers backed by foreign governments pose even greater threats — for instance, to the defense industry and this nation’s vulnerable power grid.
The scope of their net hit uncomfortably close to home a few months after Lowell’s hack.
In November 2023, the FBI alerted the Littleton Electric Light and Water Departments that Chinese hackers had compromised their computer networks.
A community-owned municipal utility, the Light Department serves Littleton, Boxboro and Devens, while the Water Department services Littleton and portions of Boxboro.
The breach, active for nearly a year, targeted critical infrastructure, but fortunately, no customer data was compromised or service interrupted.
Hackers accessed LELWD’s system via a vulnerable firewall, potentially allowing control over water treatment systems
The FBI, as part of a wider investigation into 200 compromised U.S. entities, notified LELWD in late 2023.
The utility worked with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to remove the hackers by December 2023.
The case represented a cautionary tale about the vulnerabilities exposed in small U.S. municipal utilities.
The LELWD was even featured in a “60 Minutes” segment highlighting the threat to American critical infrastructure.
That report disclosed China’s hacking of American utilities, even in small towns like Littleton, had alarmed America’s national security leaders.
In that piece, Nick Lawler, LELWD’s general manager, said if hackers had gained control, they could have poisoned the town’s water supply.
“If you are willing to go after a small water provider in Littleton, Massachusetts, what other target is off the list?” former NSA Director Gen. Tim Haugh told 60 Minutes correspondent Scott Pelley.
As a result of that breach, LELWD enhanced its cyber defenses, including the addition of new monitoring tools from Dragos, Inc., and improved network segmentation.
That brush with cyber infiltration served as the catalyst for LELWD’s leading prevention role in the municipal utility industry.
That commitment to systems security recently earned the utility national recognition.
LELWD received that honor due to its demonstrated leadership in cybersecurity through presentations to its peers at industry events, building strategic public-private partnerships, and sharing hard-earned lessons.
Nick Lawler, LELWD’s general manager, accepted the Community Impact Award for “outstanding achievement in safeguarding civilization” from Dragos, a leading industrial cybersecurity firm, at a Feb. 12 industry event.
The award recognizes LELWD’s exemplary efforts in protecting critical infrastructure and contributing to broader community resilience in the face of cyber threats.
“Cybersecurity stands as a paramount concern in our industry, escalating in significance with each passing day,” said Lawler, a past chairman of the American Public Power Association, a nationwide organization representing municipal power providers.
“Public-private partnerships, such as those with Dragos, support through APPA’s cybersecurity programs, and active participation in information-sharing forums have been instrumental in helping us navigate these challenges, share lessons learned, and protect our community.”
LELWD worked with Dragos, EvoLab Technology Solutions, and the APPA to boost its cybersecurity after that November 2023 cyberattack.
By March 2025, LELWD was able to speak publicly about the incident with a goal of educating other utilities on the risk and the available solutions.
Recently, Lawler presented the lessons learned from LELWD’s experiences at a conference on cybersecurity, offering valuable insights to the assembled experts. The event was organized by the Electricity Subsector Coordinating Council’s Cyber Mutual Assistance Program.
The CMA Program consists of industry cyber experts who provide voluntary emergency assistance to entities in the electric power sector during disruptions.
The conference highlighted the critical role for public-private partnerships and mutual assistance in bolstering cybersecurity for public power utilities.
For example, LELWD has benefited from its collaboration with Dragos, the cybersecurity firm, which has supported the management of operational technology sensors deployed with assistance from the APPA.
In May 2024, when LELWD’s Lawler was chairman-elect, APPA secured a $4 million cooperative agreement from the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, funded by the Rural and Municipal Utility Cybersecurity Program.
This four-year initiative aids small and resource-limited public power utilities in strengthening defenses, enhancing incident response, increasing threat information sharing, and accessing assessments, training, guidebooks, and events.
“Cybersecurity remains front of mind for the public power community, regardless of the size of our member utilities,” said Scott Corwin, president and CEO of APPA. “This agreement with DOE will help bolster the cybersecurity defenses of our members and is the latest example of successful collaboration between APPA, its members and the federal government.”
Fortunately, the hack of that Littleton utility didn’t inflict any bodily harm to its customers; on balance, it actually served as a wake-up call that showed even smalltown municipal entities aren’t immune to crippling cyberattacks.
