Victorian trains not properly protected from cyber attack

Victoria’s public rail operators and government authorities aren’t serious enough about the threat of a devastating cyber attack on the network, leaving passengers vulnerable to disruption or worse, the state's auditor-general has found.

The Victorian audit office, headed by Andrew Greaves, has revisited the security of the rail network six years after its last review.

It found [pdf] there has been "little improvement" since 2010, with significant weaknesses remaining.

The office criticised Public Transport Victoria for losing sight of accountability for information security controls across the franchised transport system, and said a series of machinery of government changes mean no-one really knows where responsibility for monitoring systems and security controls lies.

The former transport department’s IT division previously had full responsibility for cyber mitigation, but since the department was disbanded in early 2015, responsibility has been diluted through a number of organisational changes.

Back in 2010, the audit office advised the department it needed to set up a dedicated security team made up of “suitably qualified and experienced staff”. But six years later, PTV has appointed just one staff member to the task.

PTV did create an executive-level security steering committee, but at its first meeting in July this year only one executive representative showed up.

The audit team found PTV has only delivered a report to its board about the state of its cyber security once, in April 2016.

The auditor-general warned the agency needed to make cyber security a priority urgently, before it suffers what could be disastrous consequences.

“Compliance activities should be embedded in day-to-day operations, policies and procedures, but instead they are haphazard and uncoordinated,” the office wrote in its report.

“The lack of clarity about which agency owns and has responsibility for control systems has resulted in maintenance of and upgrades to control systems not being a funding priority.”

The state’s transport authority is set to undergo yet another change when it becomes Transport for Victoria later this year.

At the same time, its rail operator contracts with the MTM consortium that runs metro trains and the regional V/Line agency are expiring and currently under renegotiation.

The auditor-general has urged the government to make sure security compliance is written into the new deals.