A red teaming exercise conducted by the NSW Audit Office uncovered a number of “significant” cybersecurity vulnerabilities at Transport for NSW and Sydney Trains that were previously undetected.
The existence of the vulnerabilities is revealed in a devastating cyber risk assessment, which also reveals a low level of maturity compared to the Essential Eight controls and the more comprehensive cybersecurity policy (CSP) of the NSW government.
The audit, released Tuesday, found that while TfNSW and Sydney Trains were “partially effective” at identifying cybersecurity risks, they did not identify all of the risks identified during the audit.
“Not all of the – in some cases significant – vulnerabilities identified in this audit had previously been identified by the authorities, which suggests that the identification of cybersecurity risks is only partially effective,” says the audit.
Auditor General Margaret Crawford has chosen to withhold public disclosure of additional information at the request of the authorities and Cyber Security NSW in order to reduce the likelihood of cyberattacks.
She said that both TfNSW and Sydney Trains had been informed of the existence of vulnerabilities in December 2020, but had “not yet fixed all identified vulnerabilities” at the time the audit was published.
“I complied with this request because the vulnerabilities identified have not yet been addressed and the authorities are at significant risk,” wrote Crawford in the foreword to the report.
“It should be emphasized that the risks identified in the detailed report are due to the persistence of these previously identified vulnerabilities rather than their potential disclosure.
“It is disappointing that the transparency for Parliament and the public on issues that may affect them directly must be reduced this week.”
None of the agencies were found to “effectively manage” the cybersecurity risks they identified, with TfNSW and Sydney Trains reporting corporate cybersecurity risks above the tolerance level.
Both agencies have received funding to address identified cybersecurity risks through an ongoing Cyber Defense program funded with $ 42 million over the next three years.
In response to the audit, TfNSW said the controls used by both agencies “are already effectively preventing a significant number of intrusions and our teams are continuously monitoring our cybersecurity environment and responding quickly to cybersecurity threats”.
Limited management supervision
The audit also reveals concerns about the amount of cyber risk information reaching TfNSW executives, with only one “risk profile” that aggregates general risk issues made available to the agency’s top executives.
“The risk profile provided to TfNSW executives does not contain comprehensive information on cybersecurity and does not contain any important details that would be useful as a summary of the information in risk registers,” the audit said.
“This means that cybersecurity is presented as an area of risk, but no details are communicated to the agency executives.”
The frequency of reporting on risk information was also criticized, with TfNSW managers only being presented risk information once in 2020 instead of quarterly, which further reduces the “supervision of managers”.
Information was also only “irregularly” presented to the TfNSW Board of Directors, while the Agency’s Chief Information Security Officer only attended two out of five meetings of the Audit and Risk Committee to speak about cybersecurity.
Sydney Trains reported detailed cyber risk intelligence to executives for most of 2020, but changes towards the end of the year resulted in executives “receiving only a risk profile with no comprehensive information”.
“As a result, neither agency fosters a culture where cybersecurity risk management is an important and valued aspect of executive decision-making,” the exam concludes.
Low maturity versus Essential Eight
Despite setting target maturity levels for the Essential Eight and the CSP, neither agency has implemented controls for these levels, although plans to ensure that they “achieve a minimum maturity level of three for all CSP requirements by 2023”.
“Both agencies have a low maturity level of Essential Eight, both in terms of overall risk reduction and in comparison to the target values. This low level of maturity exposes both agencies to considerable risks and specific weaknesses, ”says the exam.
While the rolling “Cyber Defense” program is actively working on it, there was little progress between 2019 and 2020, with work mainly focused on “determining the current state of the Essential Eight and creating a roadmap for the target state “.
A workstream for Essential Eight was scheduled for February 2020, but was ultimately delayed to May 2021 due to the reallocation of resources under the La Brea Project, which began in response to last year’s ransomware attack on the State Transit Authority.
Training completion rates
The audit also indicated that neither agency is providing regular cybersecurity training for employees and contractors, despite the fact that it is required by the government’s CSP.
By January 2021, only 47 percent of the employees who had been assigned the “Cybersecurity for Newcomers” course as part of their induction had completed the training in the entire transport cluster, which also includes TfNSW and Sydney Trains.
“At this point in time, only 7.2 percent of the employees in the entire Transport Cluster had completed this training,” said the audit.
“At Sydney Trains, by January 2021, less than one percent of employees had completed this training and a further 7.6 percent of employees had completed the ‘Cyber Security: Beyond the Basics’ training course.
“These low graduation rates suggest that TfNSW is not effectively rolling out cybersecurity training across the cluster.”
TfNSW plans to introduce annual training for all employees starting July 2021, in line with a Department of Customer Service policy requiring annual cybersecurity training for all government employees.
source https://collegeeducationnewsllc.com/major-cyber-security-weaknesses-uncovered-at-tfnsw-sydney-trains-strategy-security/
No comments:
Post a Comment