Passenger train services for the Victorian public are an essential service, much like electricity, water, gas and port services. Train services rely on a range of systems and equipment, including control systems that monitor and control service delivery.
The capacity to continually deliver essential services depends on a number of factors, including effective computer system security controls and procedures that prevent unauthorised access or that detect and respond to security breaches. Failing to keep control systems secure can disrupt the delivery of essential services.
As cyber attacks become increasingly automated and sophisticated, control systems are more vulnerable. The move away from standalone control systems to those that are connected with other computer systems and networks also increases exposure to cyber attacks. We examined the security of train operators' control systems and Public Transport Victoria's (PTV) oversight of these operators.
In our 2010 audit Security of Infrastructure Control Systems for Water and Transport, we noted significant weaknesses in the security of control systems of water and train operators, and we made recommendations to address those weaknesses.
We reviewed the control systems of train operators and PTV's oversight of their performance. There has been little improvement since 2010, and significant weaknesses remain. If Security vulnerabilities in control systems are not addressed, they may result in:
- extended or complete loss of train services
- economic loss to train operators and the Victorian economy
- reputational damage to train operators
- train operators losing control of commercial or sensitive information
- criminal damage or sabotage to control systems.
PTV and train operators' management of control systems' security continues to be weak. There are four key reasons for their lack of progress:
- poor governance arrangements and a lack of management oversight of control systems
- limited security frameworks for PTV's and train operators' control systems
- limited security controls for identifying, preventing, detecting and responding to cyber security events
- poor transfer of accountability and risk during machinery-of-government changes.
During this audit, the Acting Auditor-General gave written information to relevant ministers and a relevant head of a department for urgent investigation or attention, under section 16F of the Audit Act 1994. As required under this section, we also notified the Premier.
Governance of control systems
PTV has not adequately developed governance arrangements to oversee, monitor and support train operators to manage risks to their control systems. This has resulted in:
- incomplete and inadequate cyber security frameworks in train operators
- a lack of clarity and understanding between PTV and train operators about ownership, roles and responsibilities
- no strategic direction to develop minimum security requirements for control systems
- inadequate risk and compliance management processes
- limited progress in addressing the findings of our 2010 audit Security of Infrastructure Control Systems for Water and Transport.
PTV has not identified, prioritised or managed emerging risks to Victoria's essential train services and vulnerabilities of control systems.
PTV has not assigned roles and responsibilities for managing security of control systems in franchise and service agreements with train operators. This has resulted in a lack of clarity and understanding about the ownership of control systems, leading to some activities to secure these systems overlapping and others being omitted.
During the audit, we noted that PTV has started developing governance arrangements, systems and processes that aim to address our audit findings and recommendations.
Security frameworks for control systems
Train operators do not have the necessary security frameworks in place to safeguard the control systems that manage and monitor train services.
When we conducted the audit, PTV had not coordinated or provided guidance to train operators in its role as the public transport development authority responsible for the security of train control systems.
PTV has started to work with train operators to address our audit findings and implement improvements to ensure that control systems are more reliable.
Cyber security controls
Due to inadequate security frameworks, train operators do not have proper controls in place to secure their control systems. They have limited controls to identify, prevent, detect and respond to cyber security incidents. PTV and train operators recognise this situation and are developing strategies to address it.
Many of the detailed findings from this audit about the security of control systems are sensitive, and it is not in the public interest for us to include them in this report.
During the audit, the Acting Auditor‑General issued management letters to PTV, sharing our findings and seeking assurance that consequent risks had been identified, assessed and where necessary that risk management processes have been put in place. The Acting Auditor‑General asked PTV to engage with train operators to identify remediation actions and specified time frames for these actions. PTV responded, outlining its intended actions and time frames.
PTV and train operators are working cooperatively, and we will periodically examine whether these weaknesses are being addressed within an acceptable time frame. We may report to Parliament at a later date on their progress.
Since our 2010 audit, machinery-of-government changes have transferred accountability for train control systems and the responsibility for resolving the recommendations from our 2010 audit.
On 27 June 2016, the Victorian Government announced that a new agency called Transport for Victoria (TFV) will be established in late 2016. TFV will have overarching responsibility for transport across Victoria and will be part of the Department of Economic Development, Jobs, Transport & Resources. Its role will include planning, coordinating and managing Victoria's transport networks as one system. PTV and Roads Corporation of Victoria (VicRoads) will be part of TFV.
We recommend the Department of Economic Development, Jobs, Transport & Resources consider the transfer of accountability and risk during machinery-of-government changes.
We recommend that Public Transport Victoria:
- formalise governance arrangements with train operators and determine responsibilities for the cyber security of control systems (see Section 2.3.2)
- prepare a cyber security strategy for control systems that establishes:
(see Section 2.3.1)
- the desired level of security
- governance arrangements that ensure adequate oversight
- include in the renegotiated franchise and service agreements with train operators:
(see Sections 2.3.3 and 2.3.4)
- a clarification of ownership, roles and responsibilities for the management and operation of control systems
- requirements for the management of control system security
- establish funding arrangements for control system upgrades, renewals and maintenance as part of the renegotiation of franchise and service agreements (see Section 2.3.5)
- identify and appoint a team of suitably qualified and experienced professionals to provide advice to the train operators on security, risk and business continuity management (see Sections 2.3.2 and 2.6)
- establish appropriate processes for accountability, tracking, management and reporting of their actions and train operators' actions, in response to audit recommendations (see Section 2.6)
- advise train operators on how to implement appropriate risk management systems that identify, measure and monitor control system risks, by:
(see Section 2.5.1)
- setting up a risk register
- performing a risk analysis of identified security vulnerabilities to determine whether to immediately introduce security controls and/or technical fixes
- applying the Victorian Government Risk Management Framework to consider inter-agency and relevant significant risks to Victoria
8. advise train operators on how to implement appropriate compliance management systems that include:
(see Sections 2.5.2 and 2.5.3).
- processes to monitor, measure, evaluate and report on the performance of security controls
- internal audit programs to regularly carry out vulnerability assessments or security tests to validate train operators' control system security
9. set up a security controls framework that aims to identify, detect, prevent and respond to cyber threats and that:
(see Sections 2.2, 2.3.6, 2.5.3 and 3.2).
- clearly defines minimum requirements and key performance indicators
- references the Victorian Protective Data Security Framework, Victorian Protective Data Security Standards and the security architecture that train operators should use for their respective control system environments
- includes requirements for monitoring and reporting security incidents
- includes a schedule of audits that Public Transport Victoria will carry out to monitor how the security controls framework is applied and managed
- requires staff training in security of control systems
- includes guidelines for sharing information with train operators to improve the security of control systems
We recommend that the Department of Economic Development, Jobs, Transport & Resources:
- establish appropriate processes to manage the transfer of accountability and responsibility of recommendations (see Section 2.6).
Responses to recommendations
We have professionally engaged with the Department of Economic Development, Jobs, Transport & Resources, Public Transport Victoria (PTV), train operators, Victorian Rail Track and Emergency Management Victoria throughout the audit. In accordance with section 16(3) of the Audit Act 1994 we provided a copy of this report or relevant extracts to those agencies and requested their submissions and comments. We also provided a copy of the report to the Department of Premier & Cabinet.
The following is a summary of those responses. The full responses are included in Appendix A.
The Department of Economic Development, Jobs, Transport & Resources and PTV responded, accepting the recommendations. PTV provided a detailed action plan on how it has begun to address our recommendations and the time frames for these activities. The Department of Justice & Regulation (on behalf of Emergency Management Victoria) and V/Line Proprietary Limited responded, noting the findings in the report. V/Line Proprietary Limited also noted that it will work closely with PTV to ensure that the recommendations are delivered within agreed time frames.