MIDDLETOWN – The City of Middletown did not have adequate policies and procedures to document employee IT security duties, provide guidance for using portable devices or require monitoring of networked water system devices, according to an audit of the city’s water system cybersecurity conducted by the State Comptroller’s Office.
The audit, conducted for the period January 1, 2017 through September 21, 2018, also found city officials did not provide employees with IT security awareness training.
In addition, sensitive information technology control weaknesses were communicated confidentially to officials.
Auditors recommended the city develop and implement sufficient IT policies and procedures for the water system and provide IT security awareness training to city employees at least annually.
In response to the audit, Middletown Public Works Commissioner Jacob Tawil wrote in an August 28, 2019 letter released by the state that the city has developed a water treatment plant Supervisory Control and Data Acquisition specific acceptable use policy. “This policy is designed to provide guidance as to the expected interaction with SCADA computers and other networked devices,” Tawil wrote. He said plant employees/operators “have been made aware of the policy and will continue to receive annual training that falls in line with other essential instrumentation found at the plant.”
Tawil said they also “improved the configuration and monitoring of the SCADA equipment to address potential security vulnerabilities that were exposed during the cybersecurity audit.”