WA transport hack: tip of the iceberg?

WA's Public Transport Authority (PTA) experienced major disruption to a variety of internal and external systems last week thanks to a wannabe hacker, forcing the department to disable six of its websites and a variety of online systems.

It is likely that SmartRider, which is used to pay for travel on Perth’s buses and trains, served as the target of this attack, given the vast number of credit card transactions the PTA processes every day.

The attackers were however unable to infiltrate the department's systems, according to the PTA, which said it had detected the attempted hack early and taken its systems offline to keep the hackers out.

But given some of the headlines we’ve seen over the past six months related to poor IT security practices across a number of WA government departments, is this the tip of the iceberg when it comes to attacks on WA’s public infrastructure? 

Last November the WA auditor-general was able to break into two state government networks by guessing administrator passwords: believe it or not, these highly privileged accounts were using ‘password’ as the password. Some of the systems the office audited also had passwords that had not been changed for over a decade.

The OAG’s report [pdf] showed that all seven of the government departments investigated were remiss in a number of security control areas, with a total of 115 findings relating to basic control of passwords, patching and setting of user privileges being rife.

Why is the state of government security so bad in WA? iTnews’s own survey of Australian government security put WA at the bottom of the class.

In his address to the Perth AISA conference in November last year, WA chief technology officer Andrew Cann said more had to be done to improve security in the state, offering some insight into what the office of the government CIO would be doing to up their game.

Cann acknowledged that the OGCIO needed to introduce security management to government as a standard that each agency could adopt (based on ISO 27001).

That way each agency would have a common approach to managing security and common framework they could use to manage security issues, identify security requirements and introduce standard-aligned security controls to mitigate cyber security risks.

He also indicated the CIO office would create a digital security policy, including much needed guidelines on data classification for WA government departments, something that is sadly lacking. His presentation can be found here.

Interestingly, there have been no developments since November 2015 according to the OGCIO website, and so far we’ve not seen the digital security policy arise, nor any push into a more secure government.

It stands to reason that without state government guidelines on how information should be secured, along with budget cuts and a “head in the sand” approach to cyber security-related threats, local government departments will not have the security controls in place that citizens would expect.

They might have firewalls, intrusion prevention systems and anti-virus software on their desktop, they might even scan websites for malicious content and route email through Microsoft’s Office 365 to eradicate attachment borne malware.

However, these are all legacy, point solutions that only solve 5 percent of the security problem without focusing on the real issues – the people and processes inside the organisation.

Hopefully, the PTA will get its systems back up and running securely as soon as possible and there won’t have been a mega-breach of SmartRider data, leaving the Perth public concerned for their online identifies.

This attack once again demonstrates the vulnerability of WA’s government departments to cyber attack, as well as the apparent inability to take a coordinated, centralised approach to security management, where adoption of standards across the whole of government, seems like a pipedream.

Is it that no one cares enough to do security properly or simply that it costs too much and today’s austerity in government spending won’t allow the introduction of costly controls?

Only through implementing a strategic security capability and investment to back up policy and doctrine will government every stand a chance of dealing with tomorrow’s threats.

However, tomorrow isn’t far off, so we need to see action soon, otherwise we’re in for a bumpy ride.