Penetration tests of water and other critical services identified urgent flaws; vendor fixes prompted national advisory
Get AI-powered insights, summaries, and transcripts
Subscribe
Summary
The State Auditor's Office completed 39 critical-infrastructure audits, concentrated on water and sewer providers, finding over 260 vulnerabilities; auditors said engagement with a vendor led to improved security for customers nationwide and a joint EPA/CISA advisory.
The State Auditor's Office told the Joint Legislative Audit and Review Committee that it completed 39 critical-infrastructure cybersecurity audits in fiscal 2025, focusing largely on water and sewer providers and other entities that deliver essential services. The SAO said penetration testing across those audits identified over 260 vulnerabilities, with a little more than 10% marked critical or high. "This year, we completed a total of 39 critical infrastructure audits, for governments that provide water and sewer services," said Quinn Peralta, an IT security assistant audit manager at the State Auditor's Office. Auditors described the audits as narrowly scoped and externally focused: each audited government received an external penetration test and an interview with SAO IT specialists to probe controls around critical-service systems. Quinn said auditors intentionally assessed what an actor on the public internet could reach to surface "low-hanging fruit" that might make a government more attractive to attack. The audits targeted larger water providers identified in collaboration with the Department of Health. In one instance, SAO penetration testing uncovered an issue in a vendor application used to monitor and control water-technology components. Quinn said auditors engaged the vendor; the vendor then reported substantial security improvements for all customers of that platform. The SAO presentation noted that the vendor's subsequent changes were highlighted in a joint advisory issued by the Environmental Protection Agency and the Cybersecurity and Infrastructure Security Agency the following week. "As a result of the penetration testing that we were able to do, the vendor then reported a significant improvement to the IT security, for all customers using that platform," Quinn said. Auditors and WaTech officials said the critical-infrastructure audits can produce local-to-national benefits when shared vulnerabilities involve widely used vendor products. The SAO emphasized that detailed technical results and vendor-specific findings are shared confidentially with affected entities and, where appropriate, with federal partners that coordinate advisories. The SAO said the critical-infrastructure work will continue to prioritize water and similar services identified as federal priorities.