City of Middletown - Water System Cybersecurity (2019M-22) | Office of the New York State Comptroller

Issued Date

November 27, 2019

[read complete report - pdf]

Audit Objective

Determine whether City officials adequately safeguarded electronic access to the City’s water system.

Key Findings

Officials did not have adequate policies and procedures to document employee IT security duties, provide guidance for using portable devices or require monitoring of networked water system devices.
Officials did not provide employees with IT security awareness training.

In addition, sensitive information technology (IT) control weaknesses were communicated confidentially to officials.

Key Recommendations

Develop and implement sufficient IT policies and procedures for the water system.
Provide IT security awareness training to City employees at least annually.

City officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.

Background

The City of Middletown (City) is located in Orange County. The City is governed by a Mayor, who is elected every four years, and a nine-member Common Council (Council).

The Council is responsible for providing oversight of City operations. The Mayor is the chief executive officer and is responsible, along with other administrative staff, for the City’s day-to-day administration.

The Department of Public Works Commissioner is responsible for overseeing water operations, including the day-to-day operations of the water system.

Quick Facts
Metered Water Sales	$6.7 million
Water Connections	7,443
Customers	28,400
Potable Water Production - 2017	811.3 million gallons

Audit Period

January 1, 2017 – September 21, 2018. We extended our audit period forward through November 21, 2018 to complete our IT testing.