Queensland’s auditor-general has conducted penetration testing on the two major systems managing Brisbane’s traffic network and found gaping holes which render the critical networks vulnerable to attack.
The city is just 12 months out from hosting the 2014 G20 summit, the most significant gathering of world leaders ever held in Australia.
“Security research shows an increase in cyber attacks on the G20 host and participating countries leading to the G20 Summit,” auditor-general Andrew Greaves said in a report tabled yesterday.
“If the systems were specifically targeted, hackers could access the system and potentially cause traffic congestion, public inconvenience and affect emergency response times.
“Such attacks could also cause appreciable economic consequences in terms of lost productivity.”
In preparation for G20, the audit team commenced a three-week testing process across the intelligent transport systems (ITS) used by the Department of Transport and Main Roads (TMD) and the Brisbane City Council (BCC) to control traffic lights and manage traffic incidents in the Brisbane metropolitan region.
They found that the systems “were demonstrably not as secure as they should have been”.
Social engineering, or human to human deception, was the easiest way to get physical access to information systems and infrastructure, their report said.
“We were able to bypass physical security multiple times without being detected.”
The team also found that remote access management policies, the use of portable devices, patch management and anti-virus management were not consistently applied across the two organisations.
In terms of personnel access, there were no systems in place to record who had accessed particular data at particular time, and at one of the organisations, 18 percent of all active logins for the traffic management system belonged to ex-staff.
While both organisations had successfully divided their networks into discrete security zones, the report found access between the zones was not restricted, meaning an attack on one area could easily spread to others.
Israel learnt its lesson the hard way earlier this year when hackers used a Trojan virus to access and close down the camera network on one of the main arterial tunnels in Haifa. The subsequent shutdown paralysed the motorway for two peak hour periods.
The auditor-general said Brisbane too would struggle to get traffic moving again in the event of a cyber attack, as business continuity plans across the TMD and BCC were haphazard and reliant on the presence of a handful of skilled staff.
In the all too familiar event of a Brisbane natural disaster, he added, disaster recovery data centre facilities were not located far enough from the primary sites to ensure they too would not be affected.
The TMD and BCC have agreed to implement nearly all of the auditor’s requested security plugs and business processes.