The Massachusetts Water Resources Authority’s Single Point of Contact Did Not Inform the Management Information System Department of Contractors’ Changes for User Access and/or Multifactor Authentication Statuses for Its Administrative Computer Network

MWRA’s single point of contact (SPOC) did not inform MWRA’s Management Information System (MIS) Department of six out of six contractors’ user access and/or multifactor authentication statuses for its administrative computer network during contract work. The same six contractors, with approval from MWRA’s SPOC for user access and/or remote work, were not approved to have remote access through the MIS Department.

As a result, there is a higher-than-acceptable risk that MWRA’s administrative computer network may not be adequately protected from vulnerabilities, which could result in the loss of protected information.

Policy ADM.31 requires the following human resources security and access control:

This policy applies to all MWRA employees, business partners, and third party users that provide goods and services for MWRA [information technology (IT)] resources or shared environments, including the Supervisory Control and Data Acquisition (SCADA) System, Process Information Control System (PICS), Management Information System (MIS) and associated infrastructure components. . . .

MWRA shall ensure that all of its employees, contractors, and third party users understand their security responsibilities and have the requisite skills and knowledge to perform effectively in the roles they are assigned, and to reduce the risk of unauthorized access, use, or modification of IT resources (theft, fraud or misuse of facilities). . . .

Access Control

MWRA shall use controls for authorized access to information, IT resources, information processing facilities, and business processes on the basis of business and security requirements. Access control rules must take into account existing policies for information dissemination and authorization with consideration for the application of: . . .

• Wireless and remote access controls
• Controlled access and authentication to applications, systems, and networks

MWRA officials told us in an email, dated September 19, 2022, that all SPOCs update the MIS Department on contractors’ user access statuses.

MWRA did not have a formal, written policy that includes monitoring controls and requires SPOCs to notify the MIS Department of contractors’ user access and/or multifactor authentication statuses, including the authority to work remotely.

MWRA should develop a formal, written policy that includes monitoring controls and requires MWRA’s SPOC to notify the MIS Department of contractors’ user access and/or multifactor authentication statuses, including the authority to work remotely. MWRA should also train its employees on how to implement and follow this policy.

Contractors are only given access to the MWRA network if absolutely necessary for the conduct of their contracted scope of work. A new policy specifically addressing Contractors is in draft form, creating more formal processes for initially granting limited access, and terminating that access when it is no longer necessary for the completion of work. When the new policy is approved, all appropriate procurement, engineering and operational staff who oversee contractors will be trained on it to ensure that the appropriate controls are properly implemented for all contracts allowing access to MWRA networks.

It is important to note that no remote access to [MWRA’s supervisory control and data acquisition system] or other water and wastewater control systems is ever permitted. The six contractor staff with access which was not terminated appropriately had been working on heating, ventilation and cooling (HVAC) systems and their access was terminated immediately after it was discovered.

Based on its response, MWRA is taking measures to address our concerns on this matter.