Auditor says hackers could cause trouble on NSW roads

The NSW Auditor-General believes gaps in Roads and Maritime’s security framework could potentially be used by hackers to cause accidents on some sections of the state's road network.

In a review of the security of NSW’s key traffic and water assets, handed down this morning, Auditor-General Grant Hehir said while Roads and Maritime Services (RMS) had sufficient infosec policies and procedures, they didn't extend across the whole traffic light network, creating potential vulnerabilities.

“The risk management process covers the transport management centre (TMC) but does not extend to the whole traffic light environment. A comprehensive security plan/architecture has not yet been developed,” the report stated.

NSW traffic lights are operated by the Sydney coordinated adaptive traffic system (SCATS), which manages 4000 sets of signals from a central server linked with a network of subordinate regional servers. Central management means RMS can optimise traffic flows according to demand.

Lights are secured by safety interlocks, which prevent multiple signals showing green-green or yellow-green at the same time in an intersection.

Hehir and the audit team stopped short of publicly detailing how attackers could exploit holes in the infosec policies and procedures, citing security reasons, but handed the specific findings to RMS in a private report.

RMS disputed the findings of the private report, and claimed it had provided documentation to Hehir's team backing up its argument. The auditor, however, has not amended his findings.

Hehir also warned the agency to move faster to stand up its disaster recovery capabilities, after work to build a secondary data centre site hit delays.

He is not the first state auditor to highlight threats to physical infrastructure from malicious actors. Both Queensland and Victorian investigators uncovered large holes in the electronic defences of water and traffic authorities in the past year.

The NSW Auditor said he is determined to prevent the kind of attack that saw nearly a million litres of untreated sewage spill into parks and public spaces in 2000 in Queensland’s Maroochy Shire, after a disgruntled employee of one of the council’s IT vendors attacked the waste management system.

Sydney’s own water authority, Sydney Water Corporation, was given some acclaim for its security practices in Hehir's report, but the auditor pointed that holes still remain.

“Whilst SWC’s response capability is good, it is limited by its inability to detect all security breaches,” he wrote.

The gaps predominantly exist at an operational level, the investigation concluded, with limited precautions against malware introduced via USB storage drives and passwords to engineering systems that never expire.

Hehir also complained that he is hamstrung by NSW legislation from properly investigating third-party operated water treatment plants, in the absence of a full “follow-the-dollar” mandate from parliament to oversee outsourced operations.