Myth: “My Small OT Network Won’t Be Targeted”

by | Feb 25, 2026 | OT Myths

In the cybersecurity landscape, a common myth continues to threaten operational technology (OT) environments: “Our network is too small to be a target.” This belief, though seemingly reasonable, is dangerously outdated and disconnected from today’s threat landscape. Whether it’s a municipal water utility, a rural manufacturing plant, or a remote energy substation, no OT network is too small for adversaries to overlook.

This blog will dispel the myth through technical analysis, case studies, and an overview of modern attack techniques. Methods such as automated, opportunistic, and occasionally indiscriminate attacks often affect even the smallest OT environments. We’ll also explore how small OT networks are compromised and provide practical steps to mitigate these risks.

The Modern Threat Landscape

Opportunistic Attacks Are Now the Norm

Modern attackers, both criminal and nation-state, rarely conduct manual reconnaissance for every target. Instead, they deploy automated tools and mass vulnerability scanners that probe the Internet for exploitable systems. Once a target is found, even if small or obscure, it’s either:

  • Compromised immediately through automated exploits.
  • Logged for later human exploitation.
  • Sold on underground markets to third-party threat actors for further reconnaissance and exploitation.

The 2021 Colonial Pipeline ransomware attack started with a single compromised VPN account, not an extensive, targeted campaign. If big organizations can be breached through a small entry point, the same applies to small networks: they can be hacked using automation, no matter their size.

The Rise of OT Malware

Tools like Industroyer2, TRITON, and Incontroller show increasing sophistication and modular design, allowing attackers to create OT-focused payloads that are more flexible. Some recent malware variants include built-in modules for Modbus, OPC, DNP3, and other common OT protocols, so attackers no longer need custom reconnaissance to target operational systems.

Attackers don’t need to know who you are, just that you run a vulnerable HMI or RTU.

Why Small OT Networks Are Attractive

Lack of Security Hygiene

Organizations operating smaller OT networks frequently lack:

  • Dedicated cybersecurity staff
  • Regular cadence for applying patches and updates
  • Network segmentation
  • Continuous monitoring or logging

This makes them low-hanging fruit. Attackers routinely compromise small OT networks because the probability of success is higher, and the risk of detection is lower.

Supply Chain and Pivot Points

Attackers often exploit smaller networks not for direct value, but as steppingstones to larger environments. For instance:

  • A small OEM facility may interface with a global manufacturing partner.
  • A small SCADA vendor might have VPN access to multiple utility clients.
  • A third-party contractor may manage remote substations across various jurisdictions.

In a hyperconnected OT ecosystem, the size of your network is irrelevant if it provides a pathway to a larger prize.

Real-World Incidents Involving Small OT Environments

  • Rural Hospitals (2020–2022): Several ransomware groups targeted healthcare providers like Ridgeview Medical Center and Memorial Health System, which had limited IT and OT resources. Disruptions affected medical gas systems, HVAC, and other OT assets.
  • Agricultural Cooperatives (2021): Multiple co-ops in the U.S. were hit with ransomware, causing downtime during critical harvesting seasons. Small OT networks controlling grain elevators or processing lines were affected.

Technical Pathways to Compromise

Remote Access Weaknesses

Small OT networks frequently rely on:

  • Exposed RDP, VNC, or TeamViewer interfaces.
  • Static credentials or default passwords.
  • VPN appliances with outdated firmware.

In recent years, Shodan and Censys have revealed thousands of exposed industrial control interfaces, many without proper authentication or TLS. Below is an example of Shodan displaying hosts that are exposed. 

Mitigation:

  • Use MFA and robust authentication for all remote access.
  • Log and monitor remote sessions.
  • Disable unused remote tools, especially after hours.

Flat Network Architecture

Without VLANs or network segmentation, once an attacker breaches the IT-OT boundary (or even just an engineering workstation), they often have unrestricted access to:

  • PLCs
  • HMIs
  • SCADA servers
  • Historian databases

In some cases, attackers can issue destructive commands directly, such as by issuing Modbus/TCP or DNP3 commands with no authentication required.

Mitigation:

  • Implement network segmentation (e.g., Purdue Model tiers).
  • Restrict communication to authorized hosts only.
  • Use firewalls that understand OT protocols.

Legacy and Unsupported Assets

Many small networks still run:

  • Windows XP or 7-based HMIs.
  • Unpatched Linux systems.
  • Embedded systems with hardcoded credentials.

Vulnerabilities like EternalBlue, BlueKeep, or Shellshock remain viable in these environments. Even known CVEs from 10+ years ago still plague small networks.

Mitigation:

  • Apply virtual patching via firewalls or intrusion prevention systems.
  • Isolate legacy systems.
  • Use host-based protections where patching is impossible.

Attacker Motivations in Small OT Networks

While large industrial enterprises often dominate cybersecurity headlines, smaller OT networks are far from immune. In fact, their limited resources, outdated infrastructure, and lack of mature defenses can make them even more appealing targets. Understanding the motivations behind these attacks is critical to building adequate defenses.

The most visible driver is financial extortion, where ransomware operators and Ransomware-as-a-Service (RaaS) affiliates exploit the urgency of time-sensitive OT processes to force quick payouts.

Beyond profit, some actors are motivated by ideological or hacktivist goals, using small but symbolic OT environments to draw attention to their causes. These attacks may be relatively low-cost to launch, yet they can create disproportionate visibility and disruption.

Finally, small OT networks can also serve as quiet entry points for espionage and surveillance operations. By compromising less-defended suppliers, contractors, or utilities, advanced actors can establish persistence, gather intelligence, and eventually pivot into larger and more strategic targets.

Financial Extortion

Ransomware-as-a-Service (RaaS) actors increasingly target small OT sites because:

1. Smaller Facilities Are Easier, High-ROI Targets

  • Rural hospitals and smaller healthcare providers are especially attractive targets because attackers need less technical skill and expect quicker payouts. Analysts describe these as “an easier payday” for ransomware actors, even when the demanded amounts aren’t necessarily large, because the return on investment remains high.
  • Many of these facilities operate on tight budgets and often can’t absorb prolonged downtime or afford robust cybersecurity infrastructure.

2. Lack of Adequate Backups Makes Quick Payment More Likely

  • large-scale study found that ransomware attacks on U.S. healthcare organizations caused on average 17 days of downtime, costing roughly $1.9 million per organization per day. The total downtime costs across all incidents from 2018 to 2024 reached around $21.9 billion.
  • This enormous financial burden incentivizes small OT operators to pay quickly if backups are insufficient or non-existent.

3. OT Environments Are Especially Time-Sensitive

  • In several cases, rural hospitals struck by ransomware had to operate under severe constraints. For example, when Sky Lakes Medical Center (a small 90-bed rural hospital in Oregon) refused to pay, it experienced a 28-day network outage. It had to repair or replace 2,500 computers, severely disrupting operations.

4. OT Systems, Like Water Treatment and SCADA, Are Often Vulnerable

  • Critical infrastructure, such as water and wastewater treatment facilities, have been repeatedly targeted. A joint advisory issued by U.S. agencies (FBI, NSA, CISA, EPA) detailed multiple ransomware incidents in 2021 against facilities in Nevada, Maine, and California, where SCADA systems and backup systems were impacted.
  • These small OT sites are often configured with remote access tools for maintenance, but lack proper segmentation or firewalls, making them low-hanging fruit for attackers.

Ideological and Hacktivist Goals

Hacktivist groups might target small, symbolic OT infrastructure to make an impact. The Iranian attack on the Bowman Avenue Dam, a small flood-control dam in New York, is a good example. The attackers probably thought they were targeting something larger because the dam shared a name with the Arthur Bowman Dam in Oregon, a (much) larger facility. The cost for the attackers is low, while the visibility can be worldwide.

Espionage and Surveillance

Small OT networks in defense subcontractors or utilities may be targeted to:

  • Establish persistent access.
  • Map supply chains.
  • Pivot to larger networks.

These efforts often go undetected for years due to the lack of centralized logging or monitoring.

Defending the Small OT Network

If small OT networks are attractive targets, they must also become resilient defenders. The challenge, however, is that most of these environments operate with tight budgets, small teams, and limited time for cybersecurity. Despite these constraints, practical and achievable steps can significantly reduce risks.

Threat Modeling for Small Environments

The first step is threat modeling, which small operators often overlook. Even a simple approach, identifying assets, potential attackers, and possible vulnerabilities, can guide more informed investment and defense decisions. Tools like MITRE ATT&CK for ICS and the CISA “Cybersecurity Performance Goals (CPGs)” make this process more accessible than ever. 

A common mistake is assuming only large enterprises need formal threat models. However, even a lightweight threat model can help small OT operators understand:

  • What they have (asset inventory).
  • Who might want to attack them?
  • What could go wrong?
  • Where to place defenses.

Tools like MITRE ATT&CK for ICS and the CISA CPGs provide actionable starting points.

Cost-Effective Security Measures

Once risks are understood, the next priority is implementing cost-effective security measures. Small networks may not afford enterprise-grade security stacks, but simple tools can provide strong protection and provide a good ROI without exceeding budgets. 

Some examples of good cost-effective measures are:

  • Read-only network taps plus basic logging.
  • Allowlisting software on HMIs and workstations.
  • USB lockdown tools to prevent portable media infection.
  • Offline backups which are stored physically disconnected from the network.
  • Managed detection and response (MDR) services tailored for OT to provide expertise small organizations may lack.

Workforce and Culture

Finally, technology alone isn’t enough; workforce and culture are crucial. In many small OT environments, a few engineers juggle multiple responsibilities, leaving little room for cybersecurity. Cybersecurity often takes a back seat. Embedding basic cyber hygiene training, maintaining simple incident response plans, and regularly reviewing vendor access can shift the culture toward security without overwhelming already stretched teams.

Shifting the culture toward addressing cybersecurity challenges without overwhelming already stretched teams begins with:

  • Cyber hygiene training for plant personnel.
  • Basic incident response playbooks, even if it’s a one-pager.
  • Vendor and contractor access audits to limit exposure.

Size Doesn’t Equal Safety

The belief that “a small OT network won’t be targeted” is not only outdated, but also actively harmful. Today’s threat actors do not discriminate based on size. They exploit exposed services, obsolete systems, and weak defenses. And too often, they succeed.

Operational Technology, regardless of scope or budget, underpins physical processes that can impact safety, the environment, and critical services. That makes OT networks all high-value targets from a cybersecurity standpoint.

Your network isn’t too small to matter and it’s too important to ignore.

At Enaxy, we help organizations of every size strengthen their OT defenses. From assessing vulnerabilities and hardening small-scale networks to building scalable security programs, our experts ensure that even the leanest OT environments are resilient against modern cyber threats.

Don’t wait until your network is targeted, connect with us at info@enaxy.com to secure your OT systems today.