How Exposure Management Can Efficiently and Effectively Improve Cyber Resilience for State and Local Governments

State and local governments must grapple with resource constraints even as they face increased demand for cybersecurity vigilance to protect critical infrastructure and essential services. Here’s how exposure management can help.

State and local governments play a crucial role in the daily lives of communities, including managing the critical infrastructure we rely on every day, such as water systems, transportation networks, power grids, and emergency services. These institutions are on the front lines of delivering and safeguarding these essential services. A successful cyber attack on even a small municipality can disrupt daily operations, compromise sensitive data and threaten public safety.

As digital threats grow more advanced and persistent, protecting state and local systems is no longer just a technical issue, it is a fundamental part of securing the nation’s most vital functions. To address this growing challenge, state and local governments need comprehensive statewide cybersecurity strategies aligned with recognized cybersecurity best practices and standards, sustainable funding and coordinated support to defend against ever evolving threats.

Cyber threats against state and local governments

As frontline operators of critical infrastructure, state and local governments face an increasingly complex and evolving cyber threat landscape. For example, in 2023, Volt Typhoon, a state-sponsored threat actor backed by the People’s Republic of China (PRC), launched a prolonged cyber attack against the Littleton Electric Light and Water Departments (LELWD) in Massachusetts. This marked the first known strike on a U.S. power utility by the group. The group targeted the utility’s operational technology (OT) infrastructure in an attempt to exfiltrate sensitive data. While LELWD was able to detect and contain the breach, the incident underscored the increasing sophistication of nation-state cyber threats and the serious risks they pose to essential services. This attack was not an isolated incident but part of a broader pattern of cyber espionage and disruption orchestrated by Volt Typhoon, which continues to target U.S. critical infrastructure.

Additionally, in July 2024, the City of Columbus, Ohio, experienced a significant ransomware attack attributed to the Rhysida group, a foreign threat actor. This breach compromised the personal and financial data of 500,000 residents, including Social Security numbers, bank account details, and other sensitive information. The incident disrupted city services and prompted the city to offer two years of free credit monitoring to affected individuals.

In February 2023, the City of Oakland, California, suffered a ransomware attack by the Play group, which disrupted essential city services and exposed sensitive personnel records, including those of police officers and firefighters. The breach prompted a state of emergency and raised serious concerns about the city's cybersecurity preparedness.

“This increase in activity from advanced persistent threat (APT) actors targeting U.S. critical infrastructure highlights the need for increased vigilance from state and local governments. Since U.S. critical infrastructure is owned and operated by both public sector and private sector organizations, the threat is a concern for government agencies as well as corporate enterprises.”

 — Mark Weatherford, former Deputy Undersecretary for Cybersecurity, U.S. Department of Homeland Security

These incidents are part of a broader and accelerating pattern of cyberattacks targeting municipal governments, highlighting the urgent need for enhanced cybersecurity measures at the local level. 

“This increase in activity from advanced persistent threat (APT) actors targeting U.S. critical infrastructure highlights the need for increased vigilance from state and local governments,” wrote Mark Weatherford, former Deputy Undersecretary for Cybersecurity, U.S. Department of Homeland Security, in a guest blog post for Tenable in November 2024. “Since U.S. critical infrastructure is owned and operated by both public sector and private sector organizations, the threat is a concern for government agencies as well as corporate enterprises.”

In March, the Office of the Director of National Intelligence (ODNI) released its Annual Threat Assessment of the U.S. Intelligence Community, referencing Volt Typhoon and other nation-state cyber threats against critical infrastructure, reinforcing the need for heightened vigilance at the state and local levels.

Achieving efficiency through state and local preparedness: Executive Order 14239

On March 19, 2025, President Trump released Executive Order (EO) 14239: Achieving Efficiency Through State and Local Preparedness. The goal of the EO is to improve national disaster preparedness and resilience by empowering state and local governments to take a leading role in securing critical infrastructure, including from cyber attacks, while also streamlining and modernizing federal policies to support them more effectively.

The order also emphasizes a shift from a broad "all-hazards" approach to a risk-informed strategy, encouraging smarter investments in infrastructure and calls for the creation of a National Resilience Strategy and a National Risk Register.

While we await guidance and implementation details for Executive Order 14239 on how state and local governments should take a more active role in cyber attack preparedness, there are proactive steps that can be taken now. These include conducting regular risk assessments, adopting basic cyber hygiene practices and implementing a proactive exposure management strategy. By taking action now, even amid uncertainty, state and local entities can begin building the foundation for a more resilient and secure infrastructure.

Closing the gap: State and local governments need resources to strengthen their cybersecurity posture

Despite being on the front lines of managing critical infrastructure, many state and local governments face significant challenges, including limited resources and legacy infrastructure, making it difficult to detect and respond to cyber threats.

As state and local governments take on more responsibility for national disaster preparedness and resilience, including protection against cyber attacks, support from programs like the State and Local Cybersecurity Grant Program (SLCGP) are more vital than ever. SLCGP provides funding to help state, local, tribal and territorial governments develop and implement effective cybersecurity strategies. By funding key initiatives such as mutli-factor authentication, vulnerability management and threat prioritization, SLCGP plays a vital role in strengthening the cybersecurity posture of these governments.

In my testimony before the House Homeland Security Committee’s Cybersecurity and Infrastructure Protection Subcommittee in April, I emphasized the need to continue the SLCGP program and the importance of adopting an exposure management strategy to tackle these threats. During the April 1 hearing, “Cybersecurity is Local, Too: Assessing the State and Local Cybersecurity Grant Program,” I provided analysis on threats facing state and local governments, the impact of SLCGP, improvements that could be made to the program, and how a risk-informed approach is needed to protect state infrastructure, including critical infrastructure, from cyber attacks.

What is exposure management and how can it help your agency?

Exposure management is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and supports a more strategic risk-informed approach to cybersecurity, continuously assessing the accessibility, exploitability and criticality of all digital assets, including the operational technology used in critical infrastructure. By implementing an exposure management strategy, state and local governments will be better equipped to secure their environments in the face of constant cyber threats and campaigns from nation-state attackers. This proactive approach helps state and local governments improve operational efficiency, reduce costs, protect against emerging threats and ensure that critical systems and services remain secure and uninterrupted.

An exposure management strategy relies on a technology platform that enables the discovery and aggregation of asset data across your entire external and internal attack surface. Seemingly elusive assets in cloud, IT, operational technology (OT), internet of things (IoT), identities and applications will show up in a holistic view of the attack surface. An exposure management platform will detect the three preventable forms of risk attackers use to gain initial access and move laterally: vulnerabilities, misconfigurations and excessive privileges. The platform will aggregate findings by asset then normalize them to calculate an overall risk score that enables security teams to quickly identify the assets that pose the greatest potential risk to your organization. An exposure management platform shares the detailed asset, identity and risk relationship information it discovers and maintains in its asset inventory. You’ll be able to see high-risk assets and, more importantly, you’ll be able to see all related attack paths that lead to that asset.

Here are three ways the Tenable One Exposure Management Platform can help your agency:

State and local governments are under pressure to improve efficiency, reduce costs and do more with less, while securing essential systems against cyber attacks. Tenable One enables you to take a proactive, risk-informed approach, prioritizing the most critical cyber risks to avoid costly incidents and keep services running. Here are three ways the Tenable One Exposure Management Platform can help.

1. Protect critical infrastructure. Tenable One provides complete visibility into both your IT and OT environments so your agency can protect essential systems like water, energy, and transportation. From real-time threat detection to prioritized remediation, Tenable helps your security team quickly identify and respond to risks before they disrupt public services or compromise safety.
2. Increase efficiency and effectiveness. Tenable One helps your team work smarter by unifying visibility across your entire environment, including cloud, on-prem, identity and OT/IoT systems, eliminating silos and reducing manual effort. With automated asset discovery, risk-based prioritization and machine learning-driven insights, your team can cut through the noise, focus on what matters most and proactively reduce the attack surface.
3. Reduce costs. With Tenable One, you can consolidate security tools into a single platform, cutting down on unnecessary spending and complexity. By proactively identifying and closing high-risk exposures, you can mitigate the financial and operational consequences of data breaches, system outages and compliance violations.

For more information on how Tenable One can help state and local governments:

• Review Securing critical infrastructure: Enhancing cyber resilience with a risk-based approach for state and local governments

Watch our on-demand webinar How State and Local Governments Can Boost Cyber Resilience with Exposure Management