Security of Critical Infrastructure Control Systems for Trains

Tabled: 9 November 2016

1 Audit context

1.1 Introduction

Passenger train services for the Victorian public are an essential service, much like electricity, water, gas and port services. Train services rely heavily on control systems that monitor and control service delivery. These control systems consist of:

  • operational systems for metropolitan and regional passenger train services
  • infrastructure management systems that control and monitor assets and power distribution
  • passenger and operator safety systems, including closed-circuit television and passenger communication and information systems
  • telecommunications and network infrastructure, including signalling systems and radio communications.

Control systems must be secure to ensure that Victoria's train services are sustainable, protected from unauthorised access and can be reliably operated and delivered. A breach in the security of control systems could result in disruption to train services.

In Victoria, several agencies are involved in managing and operating the train system, including the transport division of the Department of Economic Development, Jobs, Transport & Resources, Public Transport Victoria (PTV), and train operators Metro Trains Melbourne Proprietary Limited (MTM) and V/Line Proprietary Limited (V/Line). Victorian Rail Track (VicTrack) owns Victoria's train infrastructure, land and assets.

1.2 Train sector overview

1.2.1 Responsibility for the transport portfolio

Since our 2010 audit Security of Infrastructure Control Systems for Water and Transport, machinery-of-government changes have transferred responsibility for the transport portfolio multiple times:

  • In April 2013, responsibility for transport passed from the former Department of Transport (which had been the subject of our 2010 audit) to the Department of Transport, Planning & Local Infrastructure.
  • From 1 January 2015, the Department of Economic Development, Jobs, Transport & Resources (the department) took responsibility for the planning and oversight of Victoria's transport system, infrastructure and services.
  • On 27 June 2016, the Victorian Government announced that a new agency called Transport for Victoria (TFV) will be established in late 2016. TFV will have overarching responsibility for transport across Victoria and will be part of the department. Its role will include planning, coordinating and managing Victoria's transport networks as one system. PTV and Roads Corporation of Victoria (VicRoads) will be part of TFV.

1.2.2 Transport agencies

Figure 1A shows the relationship between the Minister for Public Transport and transport agencies.

Figure 1A

Relationship between the Minister for Public Transport and transport agencies

Chart illustrating the relationship between transport agencies

Note: In view of the impending establishment of TFV, this diagram is accurate as of 6 September 2016.

Source: VAGO.

The Department of Economic Development, Jobs, Transport & Resources

The department has overall responsibility for the planning, delivery and oversight of Victoria's transport system, infrastructure and services. It oversees transport regulatory policy and legislation. The department is also engaged in delivering the Victorian Government's major transport projects and initiatives to improve public and private transport and other major infrastructure in urban and rural Victoria.

Public Transport Victoria

PTV is the statutory authority responsible for planning, coordinating, providing, operating and maintaining a safe, punctual, reliable and clean public transport system—including train services. In November 2011, the Transport Integration Act 2010 was amended to form PTV. On 2 April 2012, PTV began operation and assumed responsibilities for overseeing train operations previously exercised by the Director of Public Transport and the Department of Transport.

PTV delivers train services through its agreements with operators:

  • MTM, which operates metropolitan train services in Victoria through a franchise agreement (a legally binding contract)
  • V/Line, which operates regional train services in Victoria through a service agreement (as the legislated train operator).

The train operators use control systems to manage and control infrastructure to deliver train services across the train network.

Metro Trains Melbourne Proprietary Limited

MTM is the franchise operator of Victoria's metropolitan train service. It is a joint venture between the Hong Kong-based MTR Corporation, John Holland Group and UGL Rail. It operates 210 six-carriage trains across 869 kilometres of track. The train fleet provides more than 228 million train trips each year and transports 415 000 customers each day.

MTM is not an authority (a department, public body or an entity of which the state or a public body has control) and has participated voluntarily in this performance audit under section 15 of the Audit Act 1994.

V/Line Proprietary Limited

V/Line is a Victorian Government statutory authority legislated under the Transport Integration Act 2010. Its primary objective is to provide passenger and freight train services, and it is the sole provider of train and bus services in regional Victoria. In 2014–15, more than 15 million train and bus passenger trips were taken on V/Line services. Every week, more than 1 700 train services are scheduled between Melbourne and major regional cities.

1.2.3 Other agencies

Victorian Rail Track

VicTrack is the custodial owner of Victoria's train infrastructure, land and assets. It owns and operates the telecommunications infrastructure that supports Victorian metropolitan and regional train services. Train and telecommunications infrastructure and assets are leased via PTV to the train operators, except those owned by the train operators. VicTrack provides managed telecommunications services direct to the train operators via the telecommunications service agreements.

Emergency Management Victoria

In July 2014, Emergency Management Victoria (EMV) was formed when the Emergency Management Act 2013 came into effect. EMV plays a key role in implementing the Victorian Government's emergency management reform agenda and developing a whole-of-government policy for emergency management. As of 1 July 2015, the 2014 amendment to the Emergency Management Act 2013 requires operators of critical infrastructure declared vital to create emergency risk management plans.

EMV also supports the Emergency Management Commissioner, who has overall responsibility for coordination and response before, during and after major emergencies, including managing the consequences of an emergency that affects critical infrastructure. This role was previously performed by Victoria Police under the Terrorism (Community Protection) Act 2003.

1.3 Control systems overview

Critical infrastructure for train services includes network equipment, field equipment and the communication network, which are all monitored and controlled by control systems. These systems are computer based and are assets that should be managed across their life cycle to support the delivery of train services. Control systems must be secure to ensure that train services are sustainable and protected from unauthorised access and can also be reliably operated and delivered.

This audit specifically focused on the security of control systems. Figure 1B shows the boundary between control systems, network equipment, field equipment and the communication network.

Figure 1B

Relationship between control systems, network equipment, field equipment and the communication network

Chart illustrates the relationship between control systems, network equipment, field equipment and the communication network

Source: VAGO.

1.3.1 Risks to control systems

Cyber attacks pose a growing threat to the security of control systems. Australia's Trusted Information Sharing Network—a forum established by the Australian Government to build the resilience of critical infrastructure for business and government—advised that the risk of cyber attack is escalating, with targeted attacks having the capability to damage infrastructure.

For Victoria’s train system, if security vulnerabilities in control systems are not addressed, they may result in:

  • extended or complete loss of train services
  • economic loss to train operators and the Victorian economy
  • reputational damage to train operators
  • train operators losing control of commercial or sensitive information
  • criminal damage or sabotage to control systems.

As cyber attacks become increasingly automated and sophisticated, control systems become more vulnerable. The move away from standalone control systems to those that are connected with other computer systems and networks also increases their exposure to cyber attacks.

The motivation for launching a cyber attack varies, but it typically includes a desire to cause harm, to demand a ransom, to cause service disruption, to inflict reputational damage or to steal data. The possibility of trusted users such as employees, vendors and external contractors accessing or operating control systems inappropriately, causing service disruption, poses another threat.

Figure 1C defines key terms in this report.

Figure 1C

Key definitions

Term

Definition

Cyber threat

The threat of unauthorised access to a control system device and/or network. This access could be directed from within an organisation (for example, by a disgruntled employee) or from a remote location by an unknown person (for example, a hostile government, a terrorist group or a malicious intruder) using the internet.

Cyber attack

A deliberate act through the internet to manipulate, deny, degrade or destroy computers or networks, or the information stored in them. The objective of a cyber attack is to seriously compromise security, stability or prosperity.

Hostile actor

An individual or organisation—including an agency of a nation state—that conducts cyber attacks.

Source: VAGO.

In 2014–15, CERT Australia—the Australian Government's national computer emergency response team, a partner agency of the Australian Cyber Security Centre—responded to 11 733 incidents affecting Australian organisations, 218 of which involved systems of national interest and critical infrastructure. A CERT Australia survey in 2015 asked respondents a series of questions about cyber attacks. The survey's results indicated that:

  • 72 per cent of respondents had experienced an attack by ransomware—malicious software designed to block access to a system until a sum of money is paid
  • 60 per cent of respondents saw trusted insiders as the most concerning hostile actor, followed by motivated groups or hackers at 55 per cent, and organised criminal syndicates at 54 per cent.

Figure 1D shows some examples of cyber attacks across different industries reported globally since December 2015.

Figure 1D

Reported cyber attacks

Images shows examples of cyber attacks

Source: VAGO.

1.4 Legislative and policy context

Transport Integration Act 2010

The Transport Integration Act 2010 came into effect on 1 July 2010 and is Victoria's primary transport act. The Transport Integration Act 2010 requires that all decisions affecting the transport system be made within the same integrated decision-making framework and support the same objectives. A 2011 amendment to the Transport Integration Act 2010 created PTV.

Rail Safety Act 2006

The Rail Safety Act 2006 came into effect on 1 August 2006 and is the prime statute legislating the safety of rail operations in Victoria. The Rail Safety Act 2006 forms part of the transport policy and legislation framework in Victoria.

Emergency Management Act 2013

The Emergency Management Act 2013 came into effect on 1 July 2014 and established governance arrangements for emergency management in Victoria. The governance arrangements require all government agencies and other organisations to work collaboratively to respond to any potential or existing situation that may cause harm to people or damage to property or the environment. As of 1 July 2015, the 2014 amendment to the Emergency Management Act 2013 requires operators of critical infrastructure declared vital to create emergency risk management plans.

Critical Infrastructure Resilience Strategy

The 2015 Critical Infrastructure Resilience Strategy sets out the vision, principles and strategic priorities for building the resilience of Victoria's critical infrastructure. It highlights cyber attack as one of the emergency risks that critical infrastructure owners and operators should prepare for.

Victorian Protective Data Security Framework

In July 2016, the Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS) were published by the Commissioner of for Privacy and Data Protection. The VPDSF and VPDSS establish mandatory requirements to protect public sector data and provide for governance across the four domains of information, personnel, information and communication technology (ICT) and physical security. PTV and train operators are required to comply with the VPDSF and VPDSS requirements by July 2018.

Asset Management Accountability Framework

The Asset Management Accountability Framework was released by the Department of Treasury & Finance in February 2016. The framework establishes a set of mandatory requirements and general guidance to ensure Victorian public sector agencies manage assets appropriately. This includes ICT assets.

Information Technology Strategy: Victorian Government 2016–2020

The Information Technology Strategy: Victorian Government 2016–2020 was released by the Department of Premier & Cabinet in May 2016. The strategy provides direction for government on information management and technology for the next five years, including development of a statement of direction and overall strategy for cyber security.

1.5 Standards

The following standards include relevant principles for good governance and information security policy:

  • ISO/IEC 27001:2013 Information Security Management
  • ISO/IEC 21827:2008 Systems Security Engineering—Capability Maturity Model
  • ISA/IEC 62443 Standard Suite for Industrial Automation and Control Systems
  • AS/NZS ISO 31000:2009 Risk Management.

Other good practice standards relevant to maintaining the security of control systems include:

  • Security Benchmarks, Center for Internet Security (United States): https://benchmarks.cisecurity.org
  • Catalog of Controls Systems Security, version 7, April 2011, Department of Homeland Security (United States)
  • Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, February 2014, National Institute of Standards and Technology (United States)
  • NIST SP 800-53 Revision. 4, Security and Privacy Controls for Federal Information Systems and Organizations, National Institute of Standards and Technology (United States)
  • Sherwood Applied Business Security Architecture, SABSA (United Kingdom). http://www.sabsa.org.

1.6 Why this audit is important

Passenger train services are an essential service for the Victorian public. Train services rely heavily on control systems that monitor and control service delivery. Control systems must be secure to ensure that Victoria's train services are sustainable, protected from unauthorised access and can be reliably operated and delivered. A breach in the security of control systems could result in disruption to train services.

1.7 Previous audits

In October 2010, we tabled the performance audit report Security of Infrastructure Control Systems for Water and Transport. We found that the risk of unauthorised access to water and transport infrastructure control systems was high. Unauthorised access could compromise these systems and affect the stable delivery of essential services to the community.

In November 2013, we tabled the performance audit report Whole-of-Victorian-Government Information Security Management Framework. We found that policy, standards and protection mechanisms for the security of information and communications technology systems and data across 11 public sector agencies had not been effectively applied.

1.8 What this audit examined and how

Our objective was to assess whether security risks to critical infrastructure control systems that operate and control train services are managed effectively. To do this, we assessed whether:

  • appropriate levels of governance over control systems have been established
  • processes and controls to identify, prevent, detect and respond to security events in control systems are effective
  • business continuity and disaster recovery capabilities are effective and there are established response capabilities
  • transport agencies have implemented recommendations raised in our 2010 audit Security of Infrastructure Control Systems for Water and Transport.

We focused on metropolitan and regional train services for two reasons:

  • the high-volume of patronage—in 2014, train services accounted for approximately 236 million passenger trips, which is 45 per cent of total public transport usage in Victoria
  • the potential impact that a security breach or disaster would cause to public transport services and safety.

The audit includes the department, agencies and train operators involved in the provision of passenger train services to the Victorian public:

  • Department of Economic Development, Jobs, Transport & Resources
  • Public Transport Victoria
  • Metro Trains Melbourne
  • V/Line Proprietary Limited
  • Victorian Rail Track
  • Emergency Management Victoria.

We conducted this audit in accordance with section 15 of the Audit Act 1994 and Australian Auditing and Assurance Standards. The total cost of this audit was $545 000.

In accordance with section 20(3) of the Audit Act 1994, we express no adverse comment or opinion about anyone we name in this report.

1.9 Report structure

This report is structured as follows:

  • Part 2 examines whether appropriate levels of governance over control systems have been established and the extent to which transport agencies have implemented recommendations raised in our 2010 audit Security of Infrastructure Control Systems for Water and Transport
  • Part 3 examines whether processes and controls to identify, prevent, detect and respond to security events in control systems are effective.

Back to Top