Viruses and malware could cause chaos and even accidents on New South Wales roads via online attacks against the integrated traffic signal network despite controls put in place, auditor-general Grant Hehir advised today in a new performance report of some of the state’s critical infrastructure.
Control put in place by Roads and Maritime Services and Transport for NSW have been only partially effective in detecting and preventing incidents and are unlikely to support a timely response, Hehir warned. A range of risks were adequately managed he reported, but some remain:
“For example, there is a potential for unauthorised access to sensitive information and systems that could result in traffic disruptions, and even accidents in one particular section of the road network.”
Mock disaster scenario tests have identified improvements for the state’s Traffic Management Centre. Hehir reports that management have already begun initiating them. However, he warns:
“Until the IT disaster recovery site is fully commissioned, a disaster involving the main data centre would have traffic controllers operating on a regional basis without the benefit of intervention from the TMC in managing traffic coordination, which means higher congestion is likely in the short term.”
Sydney’s water supply system, run by the Sydney Water Corporation, however, was well equipped to deal with attacks similar to those that hackers from 16 countries used to compromise a dummy water utility system set up by United States security researchers in 2013 to determine the kinds of security threats they faced.
Getting it the auditor’s tick of approval were its procedures for testing security incidents and major outages, and the training for staff. Hehir reports that SWC has established a back-up operations centre, which is tested on a regular basis, and redundant systems such as additional control units and back-up power supplies for selected key facilities.
However, there was room for improvement, with some low-security workstations on the corporate network having access to key systems.
The nature and extent of threats to critical IT systems has evolved, Hehir advised, and come from the way agencies have integrated their systems for greater productivity and efficiency. However, greater integration has expanded the risk of a single malware attack:
“This high level of integration can extend to remote access by operational staff, suppliers and external organisations, further increasing the exposure of these systems to network vulnerabilities associated with internet threats. Recent incidents demonstrate that a targeted cyber-attack can penetrate traditional corporate cyber defences and cause physical harm to critical infrastructure. Traditional threat sources have evolved and now include nation states, with the threats — such as industrial espionage — becoming more sophisticated and covert.”
Stuxnet was one piece of malicious software, known as malware, that have been attacking process control systems and found on hundreds of systems around the world when it was discovered in 2010.
The audit office set out to determine if controls to prevent, detect and response to security breaches were effective, and if the risk to business continuity was being managed appropriately.
Hehir praised RMS and SWC for their co-operation with the audit office. Both agencies have begun acting on the recommendations, but the advantages of this auditor weren’t limited to just them, Hehir suggested: “Other government agencies with critical infrastructure should also seek to determine whether there are lessons from this audit that may apply to their organisations.” Additionally, the Australian Signals Directorate has a list of strategies available to government agencies to mitigate targeted cyber intrusions.
Audit program reform
After the release of State Plan — NSW 2021: A plan to make NSW number one by Premier Mike Baird last year, the audit office reformed its performance audit program to take into the account the government’s priority areas:
- Rebuild the economy;
- Return quality services;
- Renovate infrastructure;
- Strengthen our local environment and communities; and
- Restore accountability to government.
Advising agencies what to expect Hehir said:
“When examining agency performance I will refer to some broad themes that are relevant to today’s government administration and reform: governance, devolution, partnerships, outsourcing, efficient service delivery and transparency. The themes on which we focus will depend on the activity being examined and will be finalised during the planning stage for each audit.”
The 2015 updated performance audit program is expected to be made available online this week.