Sydney Trains and Transport for NSW cyber security flaws exposed in ‘red team’ hacker attack
Anti-hacking defences put up by Sydney Trains and Transport for NSW were no match for a simulated cyber attack orchestrated by a government watchdog, a new report reveals.
The “red team” hacking exercise conducted by the NSW Auditor-General revealed “significant weaknesses” in the agencies’ cyber security schemes, the watchdog wrote in the report released on Tuesday.
“Transport for NSW and Sydney Trains are not effectively managing their cyber security risks,” Auditor-General Margaret Crawford wrote in the report.
“Significant weaknesses exist in their cyber security controls, and both agencies have assessed that their cyber risks are unacceptably high.”
The report also notes that few staff members at the agencies have received basic cyber security training and that executives do not receive regular detailed cyber risk briefings.
“As a result, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of executive decision-making,” Ms Crawford wrote.
The test was conducted by allowing “authorised attackers” to try to penetrate the computer systems.
The “red team” also tested the security of some of the train systems’ physical sites that were relevant to cyber security, the report said.
Transport for NSW and Sydney Trains were made aware in advance that the test would occur.
The exercise revealed security holes that the agencies weren’t previously aware of, it was revealed.
The agencies fought to suppress exactly what those weaknesses were because they feared revealing the vulnerabilities could expose them to further attacks.
“TfNSW and Sydney Trains have advised that in the six months from December 2020 and at the time of tabling this audit report, they have not yet remediated all the vulnerabilities identified,” Ms Crawford wrote in a foreword.
“As a result, they, along with Cyber Security NSW, have requested that we not disclose all information contained in this audit report to reduce the likelihood of an attack on their systems and resulting harm to the community.
“I have conceded to this request because the vulnerabilities identified have not yet been remediated and leave the agencies exposed to…