The state has found the Steamship Authority (SSA) is lacking in protective measures for cyber security.
The Office of the State Auditor announced in a Monday press release that Steamship staff are not properly trained in preventing cyber attacks, among other findings.
According to the release, the audit was prompted by the June 2021 ransomware attack on the SSA that disrupted service.
The audit found the SSA had no “formal, documented cybersecurity awareness training program to ensure all employees complete cybersecurity training.”
Based on this finding, the state audit office recommended the SSA consider best practices to monitor training, update training content to “ensure relevant information is included,” and to follow up in an appropriate timeframe with employees who had not completed the training.
“It is through our audits that meaningful change can happen, especially when an auditee is willing to implement our recommendations to help ensure greater accountability, and reliable policies and procedures, moving forward,” State Auditor Diana DiZoglio said in the release. “Based on the Steamship Authority’s response to our cybersecurity finding, they have acknowledged and agreed with our recommendations to establish and maintain a comprehensive cybersecurity training program that follows best practices. We appreciate the swift action taken by the Steamship Authority to address our concerns on this matter.”
Recently, the SSA brought on board the firm Gibbous to review the ferry service’s information technology (IT) infrastructure. Last December, Thomas Innis from Gibbous showed how the SSA was underinvesting in IT, particularly on older systems.
The audit also reviewed whether the SSA’s Coronavirus Aid, Relief, and Economic Security (CARES) Act funds were properly being documented for expenses in accordance with the Federal Transit Administration and a memorandum of understanding with the Cape Cod Regional Transit Authority. The team concluded the SSA had spent CARES funding in accordance with federal guidelines.
The report also noted that despite the SSA having employee passage and ticket-agency policies in place, the ferry service’s employees did not always follow established policies to issue trip passes to “current, retired, temporary, or seasonal employees and eligible nonemployees.”
Additionally, the report found weaknesses in badge-permitting access to facilities, free rides, the absence of travel logs in most of the facilities, and an inconsistency of information gathered when granting trip passes.
“We appreciate the time and effort the Auditor’s Office took to produce this detailed report, which will aid the Steamship Authority to improve cybersecurity awareness across its operations,” SSA general manager Robert Davis said in a statement. “The Authority has thoroughly reviewed the audit and concurs with its findings. I am pleased that the Auditor’s Office noted that we have properly spent more than $9.8 million in Coronavirus Aid, Relief, and Economic Security funds that were distributed by the federal government. We have already begun to take corrective action on its recommendations for improvement, most notably enhancing the Authority’s cybersecurity preparedness and training programs.”
Updated with a statement from Robert Davis.