Hackers could control Brisbane traffic controls: Report

Security measures designed to prevent hackers from taking over Brisbane's traffic management systems are woefully inadequate or missing.

Brisbane's traffic management systems have been found vulnerable to attack under an audit conducted by the Queensland Audit Office (QAO).

Over a three week period, QAO performed penetration tests (PDF) of the systems used to manage traffic infrastructure in Brisbane and found that it was able to successfully compromise some components of the system and ultimately gain unauthorised access.

"The traffic management systems for the Brisbane metropolitan area were not secure. If the systems were specifically targeted, hackers could access the system and potentially cause traffic congestion, public inconvenience and affect emergency response times," the report read.

In addition to breaching parts of the IT systems for traffic management, QAO was also able to breach physical security measures.

The ability for QAO to breach transport management systems was assisted by a lack of security incident logging and reviewing and the sparse implementation of automated intrusion detection systems.

Additionally, policies around access control systems were completely missing or flawed, with ex-employees still holding accounts for systems due to a failure to review credentials.

"Around 18 per cent of user accounts, in each of the main traffic systems, did not relate to current employees."

The Department of Transport and Main Roads, along with Brisbane City Council are jointly responsible for the security of traffic management systems. Both bodies were capable of responding to general security incidents, assuming they were detected and key staff were available, and have technology in place to help them. Such systems include the ability to manage transport infrastructure from a completely different location.

However, QAO said that in the event of high profile events or disasters, neither body has the requisite resources to deal with the issue. This is further exacerbated by a lack of testing of such redundant systems, which QAO said would not result in recovering from security incidents within acceptable timeframes.

The QAO notes that high profile events are close on the horizon, with the Commonwealth Games approaching and the G20 Leaders Summit set to be held in November 2014, that these events will would result in "a heightened risk of cyber intrusions and opportunistic attacks to government information technology systems."

QAO said that its demonstrated ability to compromise traffic management infrastructure served as a "timely reminder to all entities that operate infrastructure, such as rail, water and electricity networks, to check and re-check their security arrangements."