NSW Audit Office Report Exposes Significant Cybersecurity Vulnerabilities at Sydney Trains & TfNSW


Staff Writer

The New South Wales Government Audit Office has found two major government agencies, Transport for NSW (TfNSW) and Sydney Trains, are failing to manage their cybersecurity risks effectively. A critical audit report released on July 13 contained the findings.

The audit was undertaken to assess how well TfNSW and Sydney Trains identified and managed their cybersecurity risks. TfNSW is the lead agency for the NSW Government’s transport agencies cluster and provides a number of IT services to the entire cluster, including Sydney Trains.

Sydney Trains is Australia’s biggest urban rail operator, operating over 3,200 daily services and carrying 400 million passengers annually. It is a critical piece of infrastructure in Australia’s biggest city.

The audit looked at how well the two agencies identified, planned for, and managed cybersecurity risks.

“Significant weaknesses exist in their cybersecurity controls,” the audit concluded. “Neither agency has reached its Essential 8 or Cyber Security Policy target levels. This low Essential 8 maturity exposes both agencies to significant risk.”

Cyber Security NSW manages the NSW Cyber Security Policy (CSP). The CSP sets out 25 mandatory requirements for agencies like TfNSW and Sydney Trains. This includes making it mandatory that agencies implement the Australian Cyber Security Centre Essential 8 Strategies to mitigate cybersecurity incidents. The Essential 8 are key controls that serve as a baseline set of protections that agencies can put in place to make it more difficult for attackers to compromise a system.

Other findings included low numbers of employees receiving basic cybersecurity awareness training. Only 7.2% of employees across NSW Transport agencies had completed introductory cybersecurity awareness training by January 2021.

Further, executives were not receiving regular briefings regarding cybersecurity risks and how that risk was managed. The audit found neither agency had developed a culture where cyber risk management was an important part of the management process.

As part of the audit, a team conducted a simulated cybersecurity exercise on TfNSW and Sydney Trains. The team simulated a determined external cyber threat actor seeking to gain access to TfNSW’s systems. Following the authorised exercise, both TfNSW and Sydney Trains requested the significant vulnerabilities detected during the audit were not released in the report, citing ongoing vulnerabilities.

The NSW Audit Office made seven recommendations in the report. They include developing and implementing a plan to meet Essential 8 targets, addressing the vulnerabilities identified, implementing appropriate cybersecurity risk reporting to executives, collecting supporting information for the CSP self-assessments, classifying and integrating all information and systems according to importance, undertaking rigorous analysis to re-prioritise CDP funding, and increasing levels of cybersecurity training.

TfNSW first received funding to implement its cybersecurity plan in 2017. Sydney Trains began received funding in early 2020. Combined funding has totalled $42 million since 2017. Despite the funding and existence of cybersecurity plans, neither agency has mitigated its cybersecurity risks. The NSW Audit Office made both agencies aware of its findings late in 2020. In the following six months, neither TfNSW nor Sydney Trains remediated all the vulnerabilities identified.