City of Binghamton - Water System Cybersecurity (2018M-152)

Issued Date
November 30, 2018

[read complete report - pdf]

Audit Objective

Determine whether City officials adequately safeguarded electronic access to the water system.

Key Findings

City officials did not:

  • Adequately safeguard the electronic access to the water system.
  • Implement a formal process to stay updated on system cybersecurity threats.
  • Prevent or monitor public disclosure of information that could jeopardize the water system.
  • Provide staff with cybersecurity awareness training.

In addition, sensitive information technology (IT) control weaknesses were communicated confidentially to City officials.

Key Recommendations

  • Establish a process for receiving and assessing system cybersecurity alerts.
  • Adopt policies and procedures to better safeguard the water system.
  • Prohibit the disclosure of information that can jeopardize the system and monitor for and remove such publicly shared information.
  • Provide cybersecurity awareness training to personnel.
  • Address the confidentially communicated IT recommendations.

District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action. Appendix B includes our comment on an issue raised in the District’s response letter.