Town of Queensbury - Water System Cybersecurity (2018M-268) | Office of the New York State Comptroller

Issued Date

March 22, 2019

[read complete report - pdf]

Audit Objective

Determine whether officials adequately safeguard electronic access to the Town’s water system.

Key Findings

Water officials have not implemented comprehensive procedures for managing, limiting, securing and monitoring user access.
Water plant personnel have not been provided with job-specific cybersecurity awareness training.
Water officials did not prevent or monitor public disclosure of information on the Town’s water system.

In addition, sensitive IT control weaknesses were communicated confidentially to Town officials.

Key Recommendations

Implement strong access controls.
Provide cybersecurity awareness training to Water plant employees.
Prohibit the public disclosure of sensitive water system information.

Local officials agreed with our recommendations and indicated they have begun corrective action.

Background

The Town of Queensbury (Town) is located in Warren County.

The Town is governed by an elected Town Board (Board) composed of a Town Supervisor and four Board members. The Board is responsible for the general oversight of operations and finances, including security over the Town’s IT system. The Water Superintendent is responsible for managing the day-to-day operations of the water department.

The Town maintains computer-based systems to control and monitor water flows, levels, pressure and quality characteristics. Officials contract with a third-party vendor to manage the Town’s water system IT components (e.g., computers and network devices). Officials also contract with another third-party vendor to manage the system’s operational technology components.

Quick Facts
Residents	27,900
2018 Water Fund Budget	$4.4 million
Water Customers	9,000
Avg. Daily Potable Water Production	4.5 million gallons

Audit Period

January 1, 2017 - April 11, 2018