When the federal cavalry pulls back, your city is the front line.
CISA just told critical infrastructure organizations to plan for cyber outages and disconnect from third-party networks. Their staff is down by a third. Their partnerships are at a standstill. Cities, water utilities, and public services are now the last line of defense, and most of them know it.
The agency that was supposed to help just admitted it can't.
On May 5, 2026, the Cybersecurity and Infrastructure Security Agency issued new emergency guidance under its CI Fortify initiative. Buried in the language is a quiet admission: federal cyber support for cities is shrinking, and local governments need to prepare to operate alone.
Resilience comes from continuously enforcing who and what can access critical systems, containing nefarious actors, and preventing threats from spreading so operations can continue safely.
Industry response to CISA's CI Fortify guidance · Federal News Network, May 2026It is not "data." It is the city itself.
When a vendor pitches "data protection," city managers nod politely. When the dispatch console goes dark on a Friday night, nobody nods. These are the systems that ransomware and nation-state actors are paying attention to right now.
911 dispatch and CAD systems
Computer-aided dispatch software running on aging hardware, often unsegmented from the office network. One ransomware infection means officers on the radio with no incident history.
Life-safety riskWater, sewer, and SCADA
Industrial control systems that the EPA and CISA have repeatedly called the soft underbelly of American infrastructure. Foreign state actors have already breached small U.S. water authorities.
CISA priorityTraffic signals and transit
Connected traffic systems and bus or transit networks ride on the same backbone as everything else. A cyber event becomes a physical one in minutes.
Cascade riskCourt records and police data
CJIS-protected data, body-cam footage, evidence chains, and case files. A breach here ends prosecutions and triggers state and federal compliance penalties.
Legal exposurePayroll, finance, and procurement
Wire fraud, vendor impersonation, and ransomware that holds the general ledger hostage. The kind of attack that ends a city manager's career in a single news cycle.
Financial riskPII, utility billing, and portals
Resident SSNs, utility account data, payment portals, and permit records. State breach notification laws turn one mistake into months of legal and PR pain.
Notification triggerThe gaps every "we have an IT guy" city has in common.
After a decade and a half of municipal incidents, the failure points are remarkably consistent. None of them are sophisticated. All of them are fixable. Almost none of them get caught by the firewall the city already paid for.
No network segmentation
Operational technology like water SCADA, traffic signals, and HVAC sits on the same flat network as the office where finance opens email attachments. One phish takes down both.
Backups on the production domain
Backup servers joined to the same Active Directory as everything else. Ransomware encrypts the backups too. Recovery becomes "we paid the ransom or we built it from scratch."
Vendor remote access nobody audits
The HVAC company, the elevator vendor, the utility meter contractor, the records management firm. Each with a VPN or a remote tool sitting on the network, often shared credentials, often dormant.
Email is wide open
No DMARC enforcement, no SPF, no DKIM. The mayor and city manager get impersonated on day one. Wire-fraud emails to the finance team sail through every filter.
No tabletop, no playbook
Nobody has rehearsed who gets called at 6 p.m. on a Friday when payroll is encrypted. Insurance, legal, comms, council, FBI field office, state cyber liaison. The list does not exist.
MFA only where it's easy
Office 365 has it. The VPN does. The 22-year-old finance app, the GIS server, the water billing portal, and the legacy domain admin account do not. Attackers find the one that does not, every time.
End-of-life systems running 911
Dispatch software on operating systems Microsoft stopped patching three to seven years ago. The vendor will not certify anything newer. Replacement is a five-year capital project. The city runs on a prayer.
Insurance assumes you have controls you do not
Cyber insurance carriers now deny claims when MFA, EDR, segmentation, and offline backups are not in place. Cities discover the gap on the day they file the claim.
It already happened. It will happen again.
A short selection of municipal and public-sector ransomware events that are publicly documented. Each one started with a phish, a stolen credential, or an exposed remote service. Each one was preventable. Figures cited are from the affected cities' own reports and major news outlets.
SamSam ransomware shuts down city services
Court records went offline. Online utility payments halted. Police lost a decade of dash-cam recordings, permanently. The City Attorney's office lost all but six of its 77 computers. Total recovery and rebuild costs reached approximately $17 million, against an initial ransom demand of about $51,000 in Bitcoin.
Reported impact: ~$17MRobbinHood ransomware paralyzes city hall
Email, water billing, real estate transactions, and parking enforcement all went dark. Mayor Bernard Young refused the 13 BTC ransom (~$76,000). The city's reported recovery and lost-revenue costs reached $18.2 million, and full service restoration took into September.
Reported impact: ~$18.2MIRGC-linked actors breach a small water utility
The CyberAv3ngers group, later sanctioned by the U.S. Treasury and tied to Iran's Islamic Revolutionary Guard Corps, exploited an internet-exposed Unitronics PLC at a municipal water authority. The system was disabled and the water supply was not affected, but CISA and the FBI issued urgent advisories. The lesson is unambiguous: foreign state actors are explicitly hunting small American utilities with thin IT staff.
Operational impact: State-actor ICS compromiseRoyal ransomware hits Texas's third-largest city
The Royal group sat in Dallas's network for roughly four weeks before encryption began at 2 a.m. on May 3. Public-safety dispatch was degraded, jury trials were canceled, and personal data on more than 30,000 individuals was exposed. The Dallas City Council approved an $8.5 million budget for mitigation, recovery, and identity protection services.
Reported impact: $8.5M / 30,253 affectedRhysida ransomware exposes 500,000 residents
An attempted breach disclosed by city leadership turned into a public dispute over how much data had been exfiltrated. Rhysida posted approximately 3 TB of stolen city files when the ransom went unpaid. The city ultimately notified 500,000 individuals and offered free credit monitoring to every Columbus resident. Multiple lawsuits and a class action followed. The reputational cost is still unfolding.
Reported impact: 500,000 residents notifiedFour products. We build it. You run it.
OneCyberShield does not replace your IT department. We are the hardware and software layer that protects your city's infrastructure and data, deployed by the people who already run your network. Built around municipal procurement cycles, the regulatory frameworks that govern public data, and the specific failure modes of public-sector IT.
Network Defense
Next-generation firewall appliances and intrusion-prevention systems that segment your network, isolate operational technology from the office side, and block known threats at the perimeter. Sits behind your existing network gear without rip-and-replace.
- Next-generation firewall appliances
- Intrusion prevention and detection
- IT and OT network segmentation
- Secure vendor remote access
Endpoint Protection
Lightweight software agents that protect every workstation, laptop, server, and dispatch console. Detects and stops ransomware, exploit chains, and credential theft before lateral movement begins.
- Anti-ransomware with behavioral detection
- Endpoint detection and response (EDR)
- Application allow-listing for critical systems
- Automated threat containment
Immutable Backup & Recovery
Air-gapped storage hardware that ransomware cannot reach. When everything else fails, this is the system that gets the city back online without paying anyone.
- Immutable backup appliances
- Air-gapped storage architecture
- Automated recovery testing
- Retention aligned to CJIS, HIPAA, IRS Pub 1075
Threat Intelligence & SOC Platform
A 24/7 monitoring platform that gives your IT team visibility across the full OneCyberShield stack from a single dashboard. Real-time alerts, integrated threat intel, and automated playbooks so the right action happens at 3 a.m. without anyone needing to be awake.
- Real-time threat dashboard
- Automated alerting and playbooks
- Integrated threat intelligence feeds
- Audit-ready logging for compliance
We helped build the internet. Now we're protecting it.
35+ years across telecom infrastructure, enterprise cybersecurity, and command-and-control architecture used in mission-critical environments. AOS Corp, the operating entity behind OneCyberShield, was established in 2008. We are not adapting into this space. We have been here.
Dr. James E. Hrubes, Ph.D.
Daniel Gelman
We protect the cities that protect everyone else.
Most cyber companies sell to the Fortune 500 and call it a day. Cities, counties, water districts, and small public utilities get the leftovers, the templates, the junior staff.
OneCyberShield was built on a simple thesis. The federal government has openly told municipalities to plan for the day when help is not coming. State governments are stretched thin. Insurance is getting harder, not easier. The vendors that protect a regional bank do not understand a city manager's calendar, a public-records request, or a fire chief's radio.
We do this work because the consequences of getting it wrong are not abstract. They show up at a council meeting, on the front page of the local paper, and in a 911 dispatcher's headset. Our job is to make sure none of those things happen on your watch.
If you run a city, a county, a special district, or a small public utility anywhere in the United States, we want to talk to you. The first conversation is free, plain English, and on your schedule.
Tell us what you run. We'll tell you what's exposed.
No sales pitch on the first call. We will ask a handful of focused questions, share what is publicly visible about your environment from outside, and let you decide whether OneCyberShield is the right fit for your environment.
Coverage
Nationwide. Cities, counties, special districts, and small public utilities throughout the United States.
Response Window
One business day for routine inquiries. Active incidents are escalated immediately on submission.
Confidentiality
Every inquiry is treated as confidential. We do not publish client names, ever, regardless of engagement outcome.