Audit of the Massachusetts Water Resources Authority (August 25, 2023)
August 25, 2023 · Massachusetts Water Resources Authority · Read the full official report on mass.gov ↗
source
“Below is a summary of our findings and recommendations, with links to each page listed.”
Read the plain-English breakdown
This is a State Auditor performance audit of the Massachusetts Water Resources Authority for July 1, 2019 through June 30, 2021.
“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Massachusetts Water Resources Authority (MWRA) for the period July 1, 2019 through June 30, 2021.”
Auditors checked whether MWRA followed required plans for cybersecurity, chemical handling, and physical security under federal water infrastructure rules.
“The purpose of this audit was to determine whether MWRA implemented specific areas of its risk and resilience assessment1 and emergency response plan2—certified on March 30, 2020 and September 29, 2020, respectively—in areas of information technology security, chemical delivery, and physical security in accordance with Section 2013 of the America’s Water Infrastructure Act.”
MWRA handles major public water and sewer systems, so weak cybersecurity or access controls could put sensitive systems or information at risk.
“Constant monitoring of systems is essential to keep the Commonwealth’s water clean and safe.”
If you live or work in an MWRA service area, this affects the reliability and safety of water and sewer services you may depend on.
“In Fiscal Year 2021, the systems served approximately 3.1 million people and more than 5,500 businesses. . . .”
The biggest problems were administrative cybersecurity controls: outdated security policy review, unclear contractor access oversight, incomplete training, and delayed access removal.
“No, see Findings 1, 2, 3, and 4”
The Auditor recommended that MWRA tighten policies, train staff, review security rules annually, and remove access quickly when employment or contracts end.
“MWRA should review its ISP annually.”
The audit did not find exceptions in chemical handling or physical security testing, but did find cybersecurity gaps that MWRA said it was working to fix.
“Based on its response, MWRA is taking measures to address our concerns on this matter.”
SCADA is the computer system that collects information from equipment used to help operate water-related systems.
“A SCADA system gathers data from computers, transmitters, and other instruments.”
What the Auditor checked
- Did not comply Did MWRA implement a risk and resilience assessment (RRA) for its administrative computer network and supervisory control and data acquisition (SCADA) system in the areas of authorized employee access that support the monitoring of drinking water and wastewater, as required by Section 2013 of the America’s Water Infrastructure Act (AWIA)?
- Complied Did MWRA implement an RRA as it pertains to the use, storage, delivery, or handling of the six chemicals used to treat water at the John J. Carroll Water Treatment Plant and William A. Brutsch Water Treatment Facility, as required by Section 2013 of the AWIA?
- Complied Did MWRA implement an emergency response plan (ERP) as it pertains to the resilience of physical security at the John J. Carroll Water Treatment Plant, Deer Island Treatment Plant, and Wachusett Reservoir, as required by Section 2013 of the AWIA?
- Complied Did MWRA have physical security measures in place to prevent unauthorized access to its water supply facilities and the Deer Island Treatment Plant?
What the Auditor found
Why it matters: MWRA’s information systems may not be adequately protected from vulnerabilities, which could result in the loss of protected information.
Standard: Policy ADM.31 requires the information security program to be reviewed annually. ( Policy ADM.31 )
2 recommendations
- MWRA should review its ISP annually.agency: agreed
- MWRA should develop and implement internal controls to ensure that it reviews its ISP annually.agency: agreed
Agency response & Auditor reply
Agency: "MWRA internal audit staff will develop and implement the necessary internal controls to ensure that annual reviews of the policy are conducted."
Auditor: "Based on its response, MWRA is taking measures to address our concerns on this matter."
Why it matters: MWRA’s administrative computer network may not be adequately protected from vulnerabilities, which could result in the loss of protected information.
Standard: Policy ADM.31 requires access controls for authorized access to information technology resources, including wireless and remote access controls and controlled authentication. ( Policy ADM.31 )
2 recommendations
- MWRA should develop a formal, written policy that includes monitoring controls and requires MWRA’s SPOC to notify the MIS Department of contractors’ user access and/or multifactor authentication statuses, including the authority to work remotely.agency: agreed
- MWRA should train its employees on how to implement and follow this policy.agency: agreed
Agency response & Auditor reply
Agency: "A new policy specifically addressing Contractors is in draft form, creating more formal processes for initially granting limited access, and terminating that access when it is no longer necessary for the completion of work."
Auditor: "Based on its response, MWRA is taking measures to address our concerns on this matter."
Why it matters: Lack of cybersecurity training may lead to user error and compromise the integrity and security of protected information in MWRA’s administrative computer network.
Standard: Policy ADM.31 requires MWRA to ensure employees, contractors, and third-party users understand their security responsibilities; EOTSS Information Security Risk Management Standard IS.010 requires annual security awareness training as a best practice. ( Policy ADM.31; Section 6.2.4 of the Executive Office of Technology Services and Security’s Information Security Risk Management Standard IS.010 )
2 recommendations
- MWRA should ensure that all its employees and contractors with access to its administrative computer network complete cybersecurity awareness training annually.agency: agreed
- MWRA should implement internal controls to ensure that the employees and contractors complete the training.agency: agreed
Agency response & Auditor reply
Agency: "Supervisors and managers now receive a monthly report of staff that have not completed the required training."
Auditor: "Based on its response, MWRA is taking measures to address our concerns on this matter."
Why it matters: MWRA’s administrative computer network was potentially vulnerable to inappropriate use or misuse by former employees and contractors whose contracts had ended.
Standard: Policy ADM.31 requires controls to reduce unauthorized access, use, or modification of information technology resources; EOTSS Access Management Standard IS.003 provides a 24-business-hour access removal best practice. ( Policy ADM.31; Executive Office of Technology Services and Security’s Access Management Standard IS.003 )
2 recommendations
- MWRA should develop a written policy that includes monitoring controls and a 24–business hour timeframe to ensure that the SPOC informs the MIS Department about MWRA employees whose employment has ended and contractors whose contracts have ended.agency: agreed
- MWRA should train its employees on how to implement and follow this policy.agency: agreed
Agency response & Auditor reply
Agency: "MWRA formalized MWRA Information Security Policy for Access Control – Administrator, ADM.35 on August 25, 2022 that addresses this finding."
Auditor: "Based on its response, MWRA is taking measures to address our concerns on this matter."
More audits of this entity
Other Office of the State Auditor reports on Massachusetts Water Resources Authority .
- Massachusetts Water Resources AuthorityAuthority / Commission · JULY 20, 2000