Security of critical IT infrastructure

Roads and Maritime Services and Transport for NSW have deployed many controls to protect traffic management systems but these would have been only partially effective in detecting and preventing incidents and unlikely to support a timely response. There was a potential for unauthorised access to sensitive information and systems that could have disrupted traffic.
 
Until Roads and Maritime Services’ IT disaster recovery site is fully commissioned, a disaster involving the main data centre is likely to lead to higher congestion in the short-term as traffic controllers would be operating on a regional basis without the benefit of the Traffic Management Centre.
 
Sydney Water Corporation is well equipped to deal with the impact of security incidents. It has developed and tested procedures for security incidents and major outages and has provided relevant training to staff. It has established a backup operations centre, which is tested on a regular basis, and established backup power supplies and systems for selected key facilities.
 
While Sydney Water Corporation’s response capability is good, it was limited by its inability to detect all security breaches. For example, any malicious activity on most of the corporate network is blocked from accessing the process control system environment but control level access was possible from selected low security workstations on the corporate network.
 
'Roads and Maritime Services and Sydney Water worked well with the Audit Office throughout the audit and have already started acting on the recommendations made in the report', said the Auditor-General Grant Hehir.
 
'Other government agencies with critical infrastructure should also seek to determine whether there are lessons from this audit that may apply to their organisations', he added.
 
Due to the sensitive nature of this topic area, detailed findings and recommendations have been provided to agencies in separate reports. The Audit Office will continue to monitor progress against the recommendations and report to Parliament if issues remain unresolved.

Further information 

Barry Underwood, Executive Officer, 9275 7220 or 0403 073 664; barry.underwood@audit.nsw.gov.au