Anti-hacking defences put up by Sydney Trains and Transport for NSW were no match for a simulated cyber attack orchestrated by a government watchdog, a new report reveals.
The “red team” hacking exercise conducted by the NSW Auditor-General revealed “significant weaknesses” in the agencies’ cyber security schemes, the watchdog wrote in the report released on Tuesday.
“Transport for NSW and Sydney Trains are not effectively managing their cyber security risks,” Auditor-General Margaret Crawford wrote in the report.
“Significant weaknesses exist in their cyber security controls, and both agencies have assessed that their cyber risks are unacceptably high.”
The report also notes that few staff members at the agencies have received basic cyber security training and that executives do not receive regular detailed cyber risk briefings.
“As a result, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of executive decision-making,” Ms Crawford wrote.
The test was conducted by allowing “authorised attackers” to try to penetrate the computer systems.
The “red team” also tested the security of some of the train systems’ physical sites that were relevant to cyber security, the report said.
Transport for NSW and Sydney Trains were made aware in advance that the test would occur.
The exercise revealed security holes that the agencies weren’t previously aware of, it was revealed.
The agencies fought to suppress exactly what those weaknesses were because they feared revealing the vulnerabilities could expose them to further attacks.
“TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified,” Ms Crawford wrote in a foreword.
“As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community.
“I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.”
The report also revealed there was resistance from inside the NSW Department of Customer Service to the “red team” method of testing the cyber defences at the transport agencies.
“The Department continues to have some concerns regarding the commissioning of external providers to undertake penetration and red team testing,” department secretary Emma Hogan wrote in a letter included in the report.
“Effective collaboration between all parties on the scope and approach for red team testing would provide a vehicle to identify and address any vulnerabilities whilst safeguarding the very systems and services NSW government entities, such as Transport for NSW in this instance, is working to protect.”
Transport for NSW secretary Rob Sharp wrote in response to the report that the agency welcomed the findings and would commit to strengthen cyber security, including by making training on the subject mandatory for all staff starting this month.
“Cyber security management is a journey of continual improvement against threat actors whose tactics regularly change, and we will continue to respond to this challenge across our systems, our information and the critical operation and customer services we deliver across all modes of transport in NSW,” he wrote.
His response also revealed that the agency’s existing cyber security measures had prevented “a significant number of intrusion attempts”.
The “red team” exercise happened prior to December, when sensitive Transport for NSW documents were stolen as part of a massive ransomware attack and later posted on the dark web along with a ransom note.
Opposition customer service spokeswoman Yasmin Catley said the report showed the government had “failed” in managing cyber risks.
“It is extremely concerning that the Auditor-General’s Office discovered significant potential risks to cyber security that neither Transport for NSW or Sydney Trains were aware of,” she said.
A Transport for NSW spokeswoman the agency and Sydney Trains welcome the Auditor-General’s recommendations.
“Cyber security risk management has long been an important part of Transport for NSW and Sydney Trains’ decision-making and operational readiness, and will continue to inform ongoing investment that will drive enhancements in this area,” the spokeswoman said.
“Since the period assessed by the Auditor-General, there has been measurable uplift in Transport for NSW and Sydney Trains’ cyber maturity, in line with an unprecedented investment in the Transport cluster’s Cyber Defence Portfolio.
“Measures implemented in the past six months include more regular reporting at an executive and whole-of-government level, with cyber security training to be mandatory from July.
“Transport for NSW and Sydney Trains are confident this approach of continuous improvement will be demonstrated by growing cyber security maturity and resilience across one of Australia’s largest and most complex government cluster.”