Both NSW government agencies have assessed their cyber security risks as unacceptably high
Transport for NSW and Sydney Trains are not effectively managing their cyber security risks. Significant weaknesses exist in their cyber security controls, and both agencies have assessed that their cyber risks are unacceptably high.
According to the Audit Office of NSW neither agency has reached its Essential 8 or Cyber Security Policy target levels. This low Essential 8 maturity exposes both agencies to significant risk. Both agencies are implementing cyber security plans to address identified cyber security risks.
This audit identified other weaknesses, such as low numbers of staff receiving basic cyber security awareness training. Cyber security training is important for building and supporting a cyber security culture. Not all of the weaknesses identified in this audit had previously been identified by the agencies, indicating that their cyber security risk identification is only partially effective.
Agency executives do not receive regular detailed information about cyber risks and how they are being managed, such as information on mitigations in place and the effectiveness of controls for cyber risk. As a result, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of executive decision-making.
TfNSW and Sydney Trains are partially effective at identifying their cyber security risks and both agencies have cyber security plans in place
Both agencies regularly carry out risk assessments and have identified key cyber security risks, including risks that impact on the agencies’ crown jewels. These risks have been incorporated into the overall enterprise risk process. However, neither agency regularly reports detailed cyber risk information to agency executives to adequately inform them about cyber risk. The Cyber Security Policy (CSP) requires agencies to foster a culture where cyber security risk management is an important and valued aspect of decision-making. By not informing agency executives in this way, TfNSW and Sydney Trains are not fulfilling this requirement.
Agencies’ cyber security risk assessment processes are not sufficiently comprehensive to identify all potential risks. Not all of the weaknesses identified in this audit had previously been identified by the agencies.
To address identified cyber security risks, both agencies have received funding approval to implement cyber security plans. TfNSW first received approval for its cyber security plan in 2017. Sydney Trains received approval for its cyber security plan in February 2020. In 2020–21 TfNSW and Sydney Trains combined their plans into the Transport Cyber Defence Rolling Program business case valued at $42.0 million over three years. This is governed as part of a broader Cyber Defence Portfolio (CDP). The CDP largely takes a risk-based approach to annual funding. The Cyber Defence Portfolio Steering Committee and Board can re-allocate funds from an approved project to a different project. This re-allocation process could be improved by making it more risk-based.
TfNSW and Sydney Trains are not effectively managing their cyber security risks
Neither agency has fully mitigated its cyber security risks. These risks are significant. Neither TfNSW nor Sydney Trains have reduced their cyber risk to levels acceptable to the agencies. Both agencies have set a risk tolerance for cyber security risks, and the identified enterprise-level cyber security risks remain above this rating. Both agencies’ self-attested maturity against the Essential 8 remains low in comparison to the agencies’ target levels, and in relation to the significant risks and vulnerabilities that are exposed. Little progress was made against the Essential 8 in 2020.
Neither agency has reached its target levels of maturity for the CSP mandatory requirements. Not reaching the target rating of the CSP mandatory requirements risks information and systems being managed inconsistently or not in alignment with good governance principles. The Transport Cyber Defence Rolling Program has a KPI to achieve a target rating of three for all CSP requirements where business appropriate. TfNSW considers this target rating to be its target for all the CSP requirements. However TfNSW has not undertaken analysis to determine whether this target is appropriate to its business.
The CSP makes agencies accountable for the cyber risks of their ICT service providers. While both agencies usually included their cyber security expectations in contracts with third-party suppliers, neither agency was routinely conducting audits to ensure that these expectations were being met.
The CSP requires agencies to make staff aware of cyber security risks and deliver cyber security training. TfNSW is responsible for delivering cyber security training across the Transport cluster, including in Sydney Trains. TfNSW was not effectively delivering cyber security training across the cluster because training was not mandatory for all staff at the time of the audit and completion rates among those staff assigned the training was low. As such, only 7.2 per cent of staff across the Transport cluster had completed introductory cyber security training as at January 2021.
According to the Auditor General the vulnerabilities identified have not yet been remediated and leave the agencies exposed to significant risk.
“It should be stressed that the risks identified in the detailed report exist due to the continued presence of these previously identified vulnerabilities, rather than due to their potential publication. The audited agencies, alone, are accountable for remediating these vulnerabilities and addressing the risks they pose,” stated the Auditor General. “It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.”