Two critical networks managing Brisbane’s traffic systems contain gaping holes that render it vulnerable to attack.
The flaws were found during penetration tests by the Queensland Attorney General office run 12 months ahead of the G20 Summit, the most significant gathering of world leaders ever held in Australia to be hosted by the state.
“Security research shows an increase in cyber-attacks on the G20 host and participating countries leading to the G20 Summit,” said auditor-general Andrew Greaves in report tabled yesterday.
“If the systems were specifically targeted, hackers could access the system and potentially cause traffic congestion, public inconvenience and affect emergency response times.
“Such attacks could also cause appreciable economic consequences in terms of lost productivity.”
Auditors ran tests for three weeks across the intelligent transport systems used by the Department of Transport and Main Roads (TMD) and the Brisbane City Council (BCC) to control traffic lights and manage road incidents in the Brisbane metropolitan region.
They found that the systems “were demonstrably not as secure as they should have been”.
Social engineering was the easiest way to get physical access to information systems and infrastructure, their report said.
“We were able to bypass physical security multiple times without being detected.”
The team also found that remote access management policies, the use of portable devices, patch management and anti-virus management were not consistently applied across the two organisations.
There were no controls in place to record what data staff accessed and when, and logins were remained active when staff left.
At one organisation 18 percent of all active logins for the traffic management system belonged to ex-staff.
Both organisations divided their networks into discrete security zones but access between the areas was unrestricted meaning attackers could easily traverse between them.
Israel learnt its lesson the hard way earlier this year when hackers used a trojan to access and close down the camera network on one of the main arterial tunnels in Haifa. The subsequent shut down paralysed the motorway for two subsequent peak hour periods.
The Auditor-General said that Brisbane too would struggle to get traffic moving again in the event of a cyber attack, as business continuity plans across the TMD and BCC were haphazard and reliant on the presence of a handful of skilled staff.
In the all too familiar event of a Brisbane natural disaster, he added, disaster recovery data centre facilities were not located far enough from the primary sites to ensure that they too would not be affected.
The TMD and BCC have agreed to implement nearly all of the auditor’s requested security fixes and business processes.
However the BCC refused to consolidate its SCATS system with the TMD STREAMS solution, claiming reasons were "not sufficiently robust”.