Report highlights: Managing cyber risks

What the report is about

This audit assessed how effectively Transport for NSW (TfNSW) and Sydney Trains identify and manage their cyber security risks.

The NSW Cyber Security Policy (CSP) sets out 25 mandatory requirements for agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies to mitigate cyber security incidents, and identifying the agency’s most vital systems, their ‘crown jewels’. 

The audited agencies have requested that we do not disclose detail of the significant vulnerabilities detected during the audit, as these vulnerabilities are not yet remediated. We provided a detailed report to the agencies in December 2020 outlining significant issues identified in the audit. We have conceded to the agencies' request but it is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way.

What we found

TfNSW and Sydney Trains are not effectively managing their cyber security risks.

Both agencies have assessed their cyber security risks as unacceptably high and both agencies had not identified all of the risks we detected during this audit – some of which are significant.

Both agencies have cyber security plans in place that aim to address cyber security risks. TfNSW and Sydney Trains have combined this into the Transport Cyber Defence Rolling Program, part of the Cyber Defence Portfolio (CDP). 

However, neither agency has reached its target ratings for the CSP and the Essential 8 and maturity is low in relation to significant risks and vulnerabilities exposed.

Further, neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making.

TfNSW is not implementing cyber security training effectively across the cluster with only 7.2% of staff having completed basic cyber security training.

What we recommended

TfNSW and Sydney Trains should:

  • develop and implement a plan to uplift the Essential 8 controls to the agency's target state
  • as a matter of priority, address the vulnerabilities identified as part of this audit and previously described in a detailed Audit Office report provided to both agencies
  • ensure cyber security risk reporting to executives and the Audit and Risk Committee
  • collect supporting information for the CSP self assessments 
  • classify all information and systems according to importance and integrate this with the crown jewels identification process
  • require more rigorous analysis to re-prioritise CDP funding 
  • increase uptake of cyber security training.

TfNSW should assess the appropriateness of its target rating for each of the CSP mandatory requirements.

Department of Customer Service should:

  • clarify the requirement for the CSP reporting to apply to all systems
  • require agencies to report the target level of maturity for each mandatory requirement.

Fast facts

  • $42m Total value of the Transport Cyber Defence Rolling Program over three years.
  • 7.2% Percentage of staff across the Transport cluster who had completed introductory cyber security training

Further information

Please contact Ian Goodwin, Deputy Auditor-General on 9275 7347 or by email.