NSW traffic management systems vulnerable, audit finds

A information security audit by NSW Auditor-General Grant Hehir tabled today found that traffic signal networks managed by Roads and Maritime Services (RMS) could have potentially been hijacked, leading to traffic disruptions.

The audit, <i>Security of Critical IT Infrastructure</i> (PDF), was conducted to find out if the systems used to operate critical infrastructure in the NSW traffic signal network and Sydney metropolitan water supply system are secure.

“RMS and Transport for NSW [TfNSW] have deployed many controls to protect traffic management systems but these would have been only partially effective in detecting and preventing incidents and unlikely to support a timely response,” read the audit.

“There was a potential for unauthorised access to sensitive information and systems that could have disrupted traffic.”

This was because the audit found that cyber security controls were only partially effective when detecting and preventing security breaches.

“There was no formalised approach in place for the assessment of security alerts from the United States government, Australian government or vendor services for software vulnerabilities. Consequently, the risk of such vulnerabilities may not have been reliably assessed or actioned when necessary,” read the audit.

According to Hehir, TfNSW has recognised that the current system is inadequate and told him that a Security Monitoring and Assessment (SMA) program will be implemented over the next two years. Traffic management systems will be in integrated into the SMA program.

The audit also contained six recommendations for TfNSW and RMS which need to be introduced by July 2015.

• Extend the Information Security Management System (ISMS) to oversee the security of the traffic management environment, including operational level risks

• Develop a comprehensive security plan for the whole environment.

• Improve the identification, assessment and recording of security risks.

• Improve logging and monitoring of security related events regarding access to applications, operating systems and network access.

• Improve security zoning to better protect the traffic system from potential threats

Turning to Sydney Water Corporation (SWC), Hehir’s audit found that the agency is “well equipped” to deal with security incidents.

For example, it has developed/tested procedures for security incidents and provided relevant training to staff. SWC has also established a backup operations centre, which is tested on a regular basis, and established backup power supplies and systems for sites in NSW.

“While SWC’s response capability is good, it was limited by its inability to detect all security breaches. For example, any malicious activity on most of the corporate network is blocked from accessing the process control system environment but control level access was possible from selected low security workstations on the corporate network,” read the audit.

In addition, the audit found that there is a risk associated with engineering passwords that don’t expire and the potential for the introduction of malware by inserting USB sticks into PCs.

SWC was also given five recommendations to implement by July 2015.

• Extend the ISMS to oversee the security of the process control environment, including the management of operational level risks and controls.

• Develop a comprehensive security plan for the whole SWC environment.

• Document and undertake additional risk mitigation to reduce risks to acceptable levels, and clearly document what levels of risk can be tolerated.

• Obtain current documents evidence to indicate that the risks associated with the security of process control systems at the Prospect water treatment plant are mitigated to acceptable levels.

• Determine the appropriate controls to limit unauthorised access to computer accounts including Supervisory Control and Data Acquisition (SCADA) systems application software and computer operating systems.

Hehir said in a statement that RMS and SWC have already started acted on the recommendations made in the report.

“'Other government agencies with critical infrastructure should determine whether there are lessons from this audit that may apply to their organisations,” he said.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia