Transport NSW and Sydney Trains not effectively managing cyber risks — NSW Auditor-General
The NSW Auditor-General has slammed Transport for NSW (TfNSW) and Sydney Trains' management of cybersecurity risks as ineffective.
While both the agencies have cybersecurity plans in place to address risks, neither has reached its target ratings for the NSW Cyber Security Policy (CSP) and their Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed, the report found.
The NSW CSP sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cybersecurity incidents, and identifying the agency’s most vital systems, their ‘crown jewels’.
TfNSW first received approval for its cybersecurity plan in 2017 and Sydney Trains received it in February 2020. In 2020–21, both the agencies combined their plans into the Transport Cyber Defence Rolling Program business case valued at $42.0 million over three years. This is governed as part of a broader Cyber Defence Portfolio (CDP). The CDP takes a risk-based approach to annual funding and the steering committee and board can re-allocate funds from an approved project to a different project. This re-allocation process could be improved by making it more risk based, the report said.
Neither agency is fostering a culture where cyber-security risk management is an important and valued aspect of decision-making, found the report.
The Auditor-General said TfNSW is not implementing cybersecurity training effectively across the cluster with only 7.2% of staff having completed basic training.
The Cyber Safety for New Starters training course is mandatory for new starters; however, only 53% of staff assigned that training module had completed the course by January 2021. At Sydney Trains, only 4.2% of staff had completed this training as at January 2021.
The report recommended TfNSW and Sydney Trains should:
- develop and implement a plan to uplift the Essential 8 controls to the agency’s target state
- as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
- ensure cybersecurity risk reporting to executives and the Audit and Risk Committee
- collect supporting information for the CSP self-assessments
- classify all information and systems according to importance and integrate this with the crown jewels identification process
- require more rigorous analysis to re prioritise CDP funding
- increase uptake of cybersecurity training.
TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements, noted the report.
The Auditor-General also suggested the Department of Customer Service should clarify the requirement for the CSP reporting to apply to all systems and require agencies to report the target level of maturity for each mandatory requirement.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...