A purple teaming exercise carried out by the NSW Audit Workplace has uncovered a range of “significant” cyber safety vulnerabilities at Transportation for NSW and Sydney Trains that ended up formerly undetected.
The existence of the vulnerabilities is disclosed in a damning audit of cyber dangers, which also reveals very low stages of maturity from the Critical 8 controls and the NSW government’s broader cyber safety coverage (CSP).
The audit, released on Tuesday, observed that whilst TfNSW and Sydney Trains’ ended up “partially effective” at pinpointing cyber safety dangers, they unsuccessful to pinpoint all of the possibility that ended up detected in the course of the audit.
“Not all of the weaknesses determined in this audit – some of which ended up sizeable – had formerly been determined by the agencies, indicating that cyber safety possibility identification is only partially successful,” the audit states.
Auditor-typical Margaret Crawford has selected to withhold the public release of supplemental data at the ask for of the agencies and Cyber Security NSW to cut down the chance of cyber assault.
She reported that equally TfNSW and Sydney Trains ended up advised about the existence of vulnerabilities in December 2020, but had “not however remediated all the vulnerabilities identified” at the time of the audit’s publication.
“I have conceded to this ask for because the vulnerabilities determined have not however been remediated and leave the agencies exposed to sizeable possibility,” Crawford reported in the report’s foreword.
“It ought to be pressured that the dangers determined in the in depth report exist owing to the ongoing existence of these formerly determined vulnerabilities, fairly than owing to their probable publication.
“It is disappointing the transparency to the parliament and the public on difficulties that probably instantly have an affect on them demands to be constrained in this 7 days.”
Neither company was observed to be “effectively managing” the cyber safety dangers that they had determined, with TfNSW and Sydney Trains reporting enterprise-level cyber safety dangers over tolerance stages.
Both agencies have acquired funding to deal with determined cyber safety dangers through a rolling ‘cyber defence’ application, which has been funded to the tune of $forty two million about the future a few several years.
In its reaction to the audit, TfNSW reported the controls used by equally agencies “already effectively protect against a sizeable range of intrusion tries and our groups repeatedly observe our cyber safety atmosphere and reaction promptly to cyber safety threats”.
Limited leadership oversight
The audit also highlights worries with the level of cyber possibility data building its way to TfNSW executives, with only a “risk profile” that aggregates frequent possibility themes delivered to the agency’s prime brass.
“The possibility profile delivered to TfNSW executives does not contain detailed data about cyber safety and does not present some important details which would be practical as summaries of the data in possibility registers,” the audit states.
“This suggests that whilst cyber safety is offered as an location of possibility, no details are communicated to company executives.”
The frequency of possibility data reporting was also criticised, with TfNSW executives offered with possibility data only once in 2020 as a substitute of on a quarterly foundation, further more “reducing senior leadership oversight”.
Info was equally offered to the TfNSW’s government administration committee only “irregularly”, whilst the agency’s chief data safety officer attended only two of 5 audit and possibility committee conferences to present on cyber safety.
Sydney Trains claimed in depth cyber possibility data to executives all through most of 2020, but variations late in the year observed executives “only receive a possibility profile without detailed information”.
“As a end result, neither company is fostering a tradition the place cyber safety possibility administration is an vital and valued part of government selection-building,” the audit concludes.
Reduced maturity from Critical 8
Irrespective of placing focus on maturity scores for the Critical 8 and the CSP, neither company has applied controls to these stages, even though there are ideas to assure they “reach a minimum amount maturity level of a few from all CSP requirements by 2023.”
“Both agencies have a very low level of Critical 8 maturity, equally in conditions of over-all possibility mitigation and in comparison with focus on stages. This very low maturity exposes equally agencies to sizeable possibility and precise vulnerabilities,” the audit states.
While the rolling ‘cyber defence’ application is actively doing the job to deal with this, there was minimal progress in between 2019 and 2020, with do the job mostly centered on “determining the present-day condition of the Critical 8 and generating a focus on condition roadmap”.
A workstream for the Critical 8 had been planned for February 2020, but this was in the long run delayed until finally May possibly 2021 owing to the reallocation of methods as element of Undertaking La Brea, which commenced in reaction to last year’s ransomware assault from the Point out Transit Authority.
Teaching completion charges
The audit also drew specific awareness to the fact neither company is applying normal cyber safety schooling for personnel and contractors, irrespective of this remaining a prerequisite under the government’s CSP.
As at January 2021, only 47 p.c of the staff that had been assigned to full the ‘cyber protection for new starters teaching course’ as element of their induction had completed the teaching throughout the Transportation cluster, which involves TfNSW and Sydney Trains.
“As a end result, only seven.two p.c of staff throughout the total Transportation cluster had completed this teaching at that time,” the audit states.
“In Sydney Trains, much less than a person p.c of staff had completed this teaching as at January 2021 and a further more seven.six p.c of staff have completed the ‘Cyber Security: Over and above the Basics’ teaching.
“These very low completion charges indicate that TfNSW is not effectively rolling out cyber safety teaching throughout the cluster.”
TfNSW is preparing to introduce once-a-year teaching for all staff from July 2021 in line with a Section of Buyer Support directive, which mandates once-a-year cyber safety teaching for all governing administration staff.