Cyber vulnerabilities exposed in ‘red team’ attack on TfNSW & Sydney Trains

NSW Audit Cyber Sydney Trains Transport for NSW

The NSW Audit Office has exposed “significant vulnerabilities” in the cyber defences of the state’s transport authorities, with the two assessed agencies failing to meet mandated target levels for the state’s Cyber Security Policy (CSP) and Federal Government’s ‘Essential Eight’.

Both Transport for NSW (TfNSW), which oversees transport infrastructure and services across the state, and Sydney Trains were found to have “significant weaknesses” in their cybersecurity controls, with assessed agencies deemed to have “unacceptably high” cyber risks, according to the state auditor.

The findings were uncovered during a simulated ‘red team’ cyber-attack targeting both agencies; this involved a penetration test of TfNSW’s systems and a “physical security” test based on Sydney Trains’ cyber-security controls.

Red team exercises deploy ‘white hat’ hackers to pen test systems in order to gauge the strength of an organisation’s existing security controls and capabilities.

Both agencies were made aware of the simulated attacks.

Specific vulnerabilities were not be disclosed in the auditor’s publicly released report.

While conceding to the agencies’ request not to disclose the details, the auditor said it was “disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way”.

Specifics on the vulnerabilities were, however, flagged in a separate, undisclosed report handed to both TfNSW and Sydney Trains last December.

Among the most glaring findings in the public report was that neither agency had reached the mandated Essential Eight (8) or state’s Cyber Security Policy (CSP) target levels.

The NSW Government’s CSP sets out 25 mandated requirements for agencies, including the adoption of the Australian Cyber Security Centre’s (ACSC) E8 controls.

The Essential 8, which serve as baseline controls for agencies, are designed to help organisation buttress their cybersecurity posture, making “it more difficult for adversaries to compromise a system”.

While both agencies had set target maturity ratings for their Essential 8, the auditor found that neither agency had implemented the E8 to the designated standard.

All NSW agencies are required to self-assess their maturity against the CSP and the Essential 8, and report that assessment to Cyber Security NSW annually.

“Both agencies have a low level of Essential 8 maturity, both in terms of overall risk mitigation and in comparison with target levels,” the audit noted.

“This low maturity exposes both agencies to significant risk and specific vulnerabilities.”

In November 2017, TfNSW approved a Cyber Uplift Program (CUP) worth $36.9 million over three years – with the CUP forming a core and majority priority of the transport agencies’ Cyber Defence Portfolio (CDP).

A target state roadmap for the Essential 8 was also established by Cyber Defence Portfolio between 2019 and 2020 to ensure these baseline E8 standards were being met.

Among the core goal of the CSP is for agencies to also “foster a culture where cyber security risk management is an important and valued aspect of decision-making”.

By “failing to inform agency executives” in this manner, the auditor said, both the TfNSW and Sydney Trains were not fulfilling this requirement.

“Neither agency is fostering a culture where cybersecurity risk management is an important and valued aspect of decision making.”

The auditor, for instance, found only 7.2 per cent of TfNSW staff had completed basic cybersecurity training.

Cybersecurity training completion rates for both TfNSW and Sydney Trains were deemed “low”.

Only 13.5 per cent of staff across the Transport cluster had been assigned the Cyber Safety for New Starters training as of January 2021.

While the course is mandatory for new starters, a little over half (53 per cent) of all staff assigned the Cyber Safety for New Starters training module had completed the course by January 2021.

The report also flagged the failures exposed during a 2019 and 2020 phishing exercise that tested TfNSW and Sydney Trains staff – with click-through rates in fact increasing for TfNSW by 22 per cent year-on-year.

Results from the ‘Spot the Scammer’ exercise saw a more than 20 per cent click-through rate on compromised emails – considered ‘very high’ against industry benchmarks.

“This indicates that staff awareness of phishing emails was low,” the auditor wrote.

For Sydney Trains, click-through rates in 2020 hit 32 per cent. However, this was a marked improvement on the previous year, which hit 40 per cent.

The auditor set out seven key priorities for TfNSW and Sydney Trains to bring their cyber posture up to the recommended standard:

  • Develop and implement a plan to uplift the Essential 8 controls to the agency’s target state
  • As a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
  • Ensure cybersecurity risk reporting to executives and the Audit and Risk Committee
  • Collect supporting information for the CSP self-assessments
  • Classify all information and systems according to importance and integrate this with the crown jewels identification process
  • Require more rigorous analysis to reprioritise CDP funding
  • Increase uptake of cybersecurity training.

The full NSW Auditor’s report can be accessed here.