Determine whether City officials adequately safeguarded electronic access to the water system.
City officials did not:
- Adequately safeguard the electronic access to the water system.
- Implement a formal process to stay updated on system cybersecurity threats.
- Prevent or monitor public disclosure of information that could jeopardize the water system.
- Provide staff with cybersecurity awareness training.
In addition, sensitive information technology (IT) control weaknesses were communicated confidentially to City officials.
- Establish a process for receiving and assessing system cybersecurity alerts.
- Adopt policies and procedures to better safeguard the water system.
- Prohibit the disclosure of information that can jeopardize the system and monitor for and remove such publicly shared information.
- Provide cybersecurity awareness training to personnel.
- Address the confidentially communicated IT recommendations.
District officials generally agreed with our recommendations and have initiated or indicated they planned to initiate corrective action. Appendix B includes our comment on an issue raised in the District’s response letter.