Major cyber security weaknesses uncovered at TfNSW, Sydney Trains

A red teaming exercise conducted by the NSW Audit Office has uncovered a number of “significant” cyber security vulnerabilities at Transport for NSW and Sydney Trains that were previously undetected.

The existence of the vulnerabilities is disclosed in a damning audit of cyber risks, which also reveals low levels of maturity against the Essential Eight controls and the NSW government’s broader cyber security policy (CSP).

The audit, published on Tuesday, found that while TfNSW and Sydney Trains’ were “partially effective” at identifying cyber security risks, they failed to pinpoint all of the risk that were detected during the audit.

“Not all of the weaknesses identified in this audit – some of which were significant – had previously been identified by the agencies, indicating that cyber security risk identification is only partially effective,” the audit states.

Auditor-general Margaret Crawford has chosen to withhold the public release of additional information at the request of the agencies and Cyber Security NSW to reduce the likelihood of cyber attack.

She said that both TfNSW and Sydney Trains were told about the existence of vulnerabilities in December 2020, but had “not yet remediated all the vulnerabilities identified” at the time of the audit’s publication.

“I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk,” Crawford wrote in the report’s foreword.

“It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication.

“It is disappointing the transparency to the parliament and the public on issues that potentially directly affect them needs to be limited in this week.”

Neither agency was found to be “effectively managing” the cyber security risks that they had identified, with TfNSW and Sydney Trains reporting enterprise-level cyber security risks above tolerance levels.

Both agencies have received funding to address identified cyber security risks through a rolling ‘cyber defence’ program, which has been funded to the tune of $42 million over the next three years.

In its response to the audit, TfNSW said the controls applied by both agencies “already effectively prevent a significant number of intrusion attempts and our teams continuously monitor our cyber security environment and response quickly to cyber security threats”.

Limited leadership oversight

The audit also highlights concerns with the level of cyber risk information making its way to TfNSW executives, with only a “risk profile” that aggregates common risk themes provided to the agency’s top brass.

“The risk profile provided to TfNSW executives does not contain comprehensive information about cyber security and does not provide some key details which would be useful as summaries of the information in risk registers,” the audit states.

“This means that while cyber security is presented as an area of risk, no details are communicated to agency executives.”

The frequency of risk information reporting was also criticised, with TfNSW executives presented with risk information only once in 2020 instead of on a quarterly basis, further “reducing senior leadership oversight”.

Information was similarly presented to the TfNSW’s executive management committee only “irregularly”, while the agency’s chief information security officer attended only two of five audit and risk committee meetings to present on cyber security.

Sydney Trains reported detailed cyber risk information to executives throughout most of 2020, but changes late in the year saw executives “only receive a risk profile without comprehensive information”.

“As a result, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of executive decision-making,” the audit concludes.

Low maturity against Essential Eight

Despite setting target maturity ratings for the Essential Eight and the CSP, neither agency has implemented controls to these levels, though there are plans to ensure they “reach a minimum maturity level of three against all CSP requirements by 2023."

“Both agencies have a low level of Essential Eight maturity, both in terms of overall risk mitigation and in comparison with target levels. This low maturity exposes both agencies to significant risk and specific vulnerabilities,” the audit states.

While the rolling ‘cyber defence’ program is actively working to address this, there was little progress between 2019 and 2020, with work largely focused on “determining the current state of the Essential Eight and creating a target state roadmap”.

A workstream for the Essential Eight had been planned for February 2020, but this was ultimately delayed until May 2021 due to the reallocation of resources as part of Project La Brea, which began in response to last year’s ransomware attack against the State Transit Authority.

Training completion rates

The audit also drew particular attention to the fact neither agency is implementing regular cyber security education for employees and contractors, despite this being a requirement under the government’s CSP.

As at January 2021, only 47 percent of the staff that had been assigned to complete the ‘cyber safety for new starters training course’ as part of their induction had completed the training across the Transport cluster, which includes TfNSW and Sydney Trains.

“As a result, only 7.2 percent of staff across the entire Transport cluster had completed this training at that time,” the audit states.

“In Sydney Trains, less than one percent of staff had completed this training as at January 2021 and a further 7.6 percent of staff have completed the 'Cyber Security: Beyond the Basics' training.

“These low completion rates indicate that TfNSW is not effectively rolling out cyber security training across the cluster.”

TfNSW is planning to introduce annual training for all staff from July 2021 in line with a Department of Customer Service directive, which mandates annual cyber security training for all government staff.