Auditor-general warns of NSW roads network vulnerabilities

New South Wales Auditor-General Grant Hehir has warned that unless the agencies behind the state's road system extend their information security management systems across its entire network, it could be open to attack, resulting in accidents and congestion.

The potential vulnerabilities were outlined in the auditor-general's Performance Audit: Security of Critical IT Infrastructure (PDF), which examined the systems and processes in place within Transport for NSW, Roads and Maritime Services, and Sydney Water Corporation (SWC).

"Roads and Maritime Services (RMS) and Transport for NSW (TFNSW) have deployed many controls to protect traffic management systems," the report said. "However, the systems in place to manage traffic signals are not as secure as they should be.

"Established controls are only partially effective in detecting and preventing incidents and are unlikely to support the goal of a timely response to limit impacts to traffic management," it said.

The auditor-general recommended control improvements in order to crack down on the risks that are not "adequately managed" by existing infrastructure and systems.

"For example, there is a potential for unauthorised access to sensitive information and systems that could result in traffic disruptions, and even accidents in one particular section of the road network," the report concluded.

The Audit Office examined the systems utilised by the Transport Management Centre (TMC), focusing on the Sydney Coordinated Adaptive Traffic System (SCATS), which monitors and controls around 4,000 sets of traffic lights from a central server and subordinate regional servers.

It is used to synchronise traffic signals and monitor congestion in order to optimise traffic flows, while vehicle detectors at each intersection allow SCATS to adjust signal timings in response to traffic demand.

The office found that because the information security management system for the NSW roads network only covered the TMC rather than the entire traffic light network, it left parts of the system vulnerable to attack.

The auditor-general recommended that the agencies extend the information security management system to oversee the security of the "complete traffic management environment, including operational level risks".

He also suggested that RMS and TFNSW develop a comprehensive security plan for the whole environment; improve the identification, assessment, and recording of security risks; improve logging and monitoring of security related events; and improve security zoning.

However, the report did concede that RMS had designed and tested an emergency response capability for the TMC for some disaster scenarios, and had recently identified and initiated improvements for responding to IT-related disasters.

This consolation did not stop the auditor-general from warning that while RMS' IT disaster recovery site remains unfinished, a disaster involving the main datacentre could result in higher traffic congestion.

"Until the IT disaster recovery site is fully commissioned, a disaster involving the main datacentre would have traffic controllers operating on a regional basis without the benefit of intervention from the TMC in managing traffic coordination, which means higher congestion is likely in the short term," the report said.

Meanwhile, the report praised Sydney Water Corporation for its ability to deal with the impact of security incidents, saying that it had developed and tested procedures for security incidents and major outages, while also providing relevant training to staff.

SWC has established a backup operations centre, which is tested on a regular basis, and has also established redundant systems such as additional control units and backup power supplies for selected key facilities, the report highlighted.

However, the report said that although SWC's response capability is good, it is limited by its inability to detect all security breaches.

"Controls to prevent and detect breaches are not as effective as they could be," it said. "Controls have been implemented to limit a number of risks; however, the protection environment requires improvement to defend against targeted attacks."

The auditor-general recommended that SWC develop a comprehensive security plan for the whole IT environment, and extend its information security management system to oversee the security of the process control environment.

The report also urged SWC to document and undertake additional risk mitigation, and determine the appropriate controls with which to limit unauthorised access to computer accounts, including SCADA application software and computer operating systems.

The NSW auditor-general's report follows an audit by the Australian National Audit Office (ANAO), with the findings released in June last year, which found that seven Commonwealth agencies did not meet the top four security strategies made mandatory by the Australian government in 2013.

The ANAO said that its conclusion applied not only at the time the audit was conducted in October 2013, but would still be correct looking forward to June 30, 2014, even after each agency had endeavoured to meet its obligations.