Improvements to critical infrastructure, other work highlighted in cybersecurity reports

Ongoing work in Washington to ensure the cybersecurity of state agencies and local governments led to significant improvements. It even persuaded a national technology vendor to make adjustments that will improve the security for critical infrastructure across the country.  

Those are some of the takeaways from a presentation by the Office of the Washington State Auditor on its cybersecurity work over the past fiscal year. Cybersecurity auditors outlined their work for lawmakers at a hearing of the I-900 subcommittee of the Joint Legislative Audit and Review Committee on Wednesday.  

For more than a decade, the State Auditor’s Office has conducted audits of cybersecurity practices at state agencies and local governments, probing their systems for weaknesses through testing and comparing their practices to standards set by leading industry organizations such as the Center for Internet Security. Because details of any vulnerabilities could be exploited by attackers, auditors provide their findings directly to agency management, and make only general information public. 

Themes from the Office’s 59 cybersecurity audits over the past year are summarized in reports on state agency work (PDF) and reviews of local governments (PDF), respectively. Speaking with lawmakers this week, cybersecurity auditors noted results of two newer types of reviews: ransomware resiliency and critical infrastructure. 

Responding to federal concerns about cyberattacks targeting critical infrastructure, the Office has focused on local governments providing services such as water, wastewater and health care. Audits include testing to identify external vulnerabilities and comparing a government’s practices to recommendations from the federal Cybersecurity and Infrastructure Security Agency. 

The Office conducted audits of 39 local governments providing critical infrastructure. The work identified a recurring risk that a leading IT systems vendor addressed, a step that will improve the security of its customers nationwide. Federal agencies later issued a statement stressing the same issue and advising the same improvements. 

You can watch the presentation online here: Video of SAO's Cybersecurity Update Fiscal Year 2025. 

“It’s fair to say that cybersecurity audits help protect our communities in essential ways,” said State Auditor Pat McCarthy. “Working together with our colleagues in local governments and state agencies, we are helping to make the technology systems that Washingtonians rely on every day more secure.” 

You may view our report below by clicking through the forward and back arrows on the right edge of each page.