The NSW government is facing a cyber security crisis with the Auditor-General this week slamming the transport department for failing to fix security vulnerabilities found more than six months ago.
In a report handed down this week, the state Auditor-General, Margaret Crawford, said Transport for NSW and Sydney Trains had “significant weaknesses in their cyber security controls” and cyber risks were “unacceptably high”.
Among the issues identified were low levels of cyber security training for staff, an inability to meet the Essential Eight targets – which is not uncommon in Australian governments – and agency executives not being adequately briefed about cyber security risks and mitigations.
Most alarming is the apparent lack of urgency from the state’s transport bodies, especially given that 250GB of private Transport for NSW data was dumped on the dark web earlier this year, with departments squashing parts of the report that mentioned unremedied security flaws.
As part of the audit, Transport for NSW and Sydney Trains were part of a red teaming exercise to test the effectiveness of their security in a live scenario.
Penetration testers found security vulnerabilities during the exercise and the agencies were notified in December last year when the Auditor-General filed its report.
“In the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified,” Crawford said.
“As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community.
“It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.”
Emma Hogan, secretary of the state’s Department of Customer Service, took issue with the red team exercise conducted as part of the audit and recognised there was “still much work to be done” around cyber security.
“The Department continues to have some concerns regarding the commissioning of external providers to undertake penetration and red team testing,” Hogan said in a letter responding to the audit report.
“Effective collaboration between all parties on the scope and approach for red team testing would provide a vehicle to identify and address any vulnerabilities whilst safeguarding the very systems and services NSW Government entities, such as Transport for NSW in this instance, are working to protect.”
Penetration testing exercises are common ways for organisations to identify and manage potential weaknesses in their cyber defenses by engaging professional attack teams who simulate bad actors and try breaking into systems.
The audit report said its penetration test also tested Sydney Trains’ physical security but that the exercise “was conducted with the knowledge of [Transport for NSW] and Sydney Trains”.
The Auditor-General offered 10 recommendations to the transport agencies, saying it should prioritise Essential Eight controls and fixing the identified vulnerabilities.
In his response to the Auditor-General’s scathing report, Transport for NSW Secretary Rob Sharp said cyber security training is now mandatory for staff.
He also outlined the amount of money the department is spending to improve its cyber security, saying the department’s “$26 million investment” since 2019 “has delivered an uplift in cyber security maturity”.
Transport isn’t the only NSW department struggling with cyber security.
Just last week, as teachers were preparing to return to online schooling due to extended lockdowns in NSW, the Department of Education was knocked offline in what it said was a cyber attack.
And a lengthy investigation into a Service NSW breach that saw over 100,000 citizens’ data stolen found that department had ignored the cyber security risks in the lead up to the incident.