Cyber security failures at TfNSW, Sydney Trains

Transport for NSW and Sydney Trains are failing to manage ‘significant’ cyber security risks despite more than $40 million worth of funding, the NSW Auditor General says.

NSW Auditor General Margaret Crawford.

Both have assessed their cyber security risks as unacceptably high and have plans in place to address them.

However, in a report released this week Margaret Crawford found a disconnect between having the risk mitigation plans and delivering on them.

She also said her audit uncovered “significant risks” that both agencies had failed to pick up.

The specific risks wouldn’t be disclosed for security reasons, she said.

Both agencies are falling short of standards set out by the NSW Cyber Security Policy (CSP) and have “low maturity” in relation to managing the vulnerabilities uncovered by the audit, the report says.

The CSP sets out 25 mandatory requirements for government agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies relating to malware, cyber attacks and misuse, and data recovery.

“Neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision making.”

NSW Auditor General Margaret Crawford

Only 7 per cent of staff at TfNSW had completed basic cyber security training.

“TfNSW and Sydney Trains’ risk identification processes are not identifying all potential risks,” Ms Crawford says.

“Not all the weaknesses identified in this audit – many of which are significant – had previously been identified by th agencies, indicating that cyber security risk identification is only partially effective.

“Neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision making.”

Failure to share information

The audit found the agencies are failing to share  information about cyber risks with executives, limiting the information available to make strategic security decisions.

It also found the agencies aren’t routinely auditing third party suppliers to make sure they’re complying with their contractual obligations.

The report makes a number of recommendations including urgently addressing the identified vulnerabilities, increasing cyber security training for staff, and re-prioritising Cyber Defence Portfolio spending under the $42 million Transport Cyber Defence Rolling Program.

The Department of Customer Service also has a role to play in clarifying CSP requirements and ensuring that all agencies report on where they stand in relation to each mandatory requirement, Ms Crawford says.

Improvement ongoing

TfNSW Secretary Rob Sharp said there had been a ‘measurable uplift’ in cyber security across the cluster in line with ‘unprecedented investment’ in the Cyber Defence Porfolio.

Mr Sharp said boosting cyber security was a key priority of TfNSW’s Future Transport 2056 strategy.

“This report and its recommendations will serve as constructive input to underpin our ongoing efforts,” he said.

Department of Customer Service secretary Emma Hogan said the department endeavours to continually improve cyber security policy.

“The report is a timely reminder that  there is still much work to be done,” she said.

Details to remain secret

Ms Crawford said she agreed to requests from TfNSW and Sydney Trains not to reveal the specific nature of the weaknesses as they had not yet been addressed.

However, she said it was regrettable this had to occur.

“It is disappointing that transparency to the Parliament and the public on issues that potentially directly affect them needs to be limited in this way,” she said.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at  

Sign up to the Government News newsletter

One thought on “Cyber security failures at TfNSW, Sydney Trains

  1. Cyber security to minimize Disruptions, just like system improvements, Is a fundamental in providing a reliable System. And is essential across all sectors of Government.
    The lack of adequate security in the transport ,logistic arena would quickly bring our lives into chaos, if a cyber attacks is not adverted. In the current climate these attacks have become everyday.
    Motivations vary ,not necessarily for extortion or data theft. But just to cause Chaos
    Either way its like stealing.

    It involves a culture change for all of us. We all have a part to play in being vigilant !
    You don’t leave your assets including systems unprotected

Leave a comment:

Your email address will not be published. All fields are required