Under the Transport Integration Act 2010, Public Transport Victoria (PTV) is responsible for planning, coordinating, providing, operating and maintaining a safe public transport system, including train services. PTV, train operators and other relevant entities have a shared responsibility under the Rail Safety Act 2006 to make sure train services are safe. This includes securing control systems—the central systems that manage and monitor train services.
PTV is the public transport development authority responsible for establishing governance arrangements to oversee the development of a coordinated cyber security strategy and making sure the strategy is delivered. Effective cyber security relies on full engagement at all levels of PTV, train operators and other relevant entities—including a responsibility for boards to set a cyber security strategy and ensure it is implemented.
Middle and front-line management in PTV, train operators and other relevant entities play an important role in delivering the cyber security strategy through day-to-day operations. They also play a vital role by providing feedback to PTV and their executive management teams.
During public transport disruptions, PTV, with the assistance of train operators, is responsible for ensuring the restoration of train services. During a major emergency, the Emergency Management Commissioner is responsible for overseeing the response and recovery arrangements, and managing the impacts of the emergency on critical infrastructure.
PTV has not adequately established governance arrangements to oversee the management of control systems, resulting in:
- incomplete and inadequate cyber security frameworks in train operators
- a lack of clarity and understanding between PTV and train operators about ownership, roles and responsibilities for the management and operation of control systems
- no strategic direction or coordination of train operators to develop consistent minimum security requirements for control systems
- inadequate risk and compliance management processes
- limited progress in addressing the findings of our 2010 audit Security of Infrastructure Control Systems for Water and Transport.
We note that PTV has begun to establish governance processes, which will help it put actions in place to improve the security of train control systems.
2.2 Statutory oversight of cyber security
Our previous audits have highlighted inadequate cyber security in Victorian public sector agencies. The Department of Premier & Cabinet stated in the Information Technology Strategy: Victorian Government 2016–2020 that the government must take a strategic approach to managing system security due to the escalating threat of cyber attacks.
Emergency Management Victoria commented in 2015 in its Critical Infrastructure Resilience Strategy that cyber attacks are an emergency risk, and Victorian critical infrastructure owners and operators should prepare for them.
Despite the increasing importance of cyber security, transport agencies currently have limited guidance to support them in reducing their vulnerability to cyber attacks.
The Transport Integration Act 2010 states that PTV is responsible for planning, coordinating, providing, operating and maintaining a safe, punctual, reliable and clean public transport system.
Safety management is well established in train services, as required under the Rail Safety Act 2006. Management of cyber security must be approached in a similar way, but there is no legislation that mandates cyber security requirements. Other countries have identified the need to address cyber security for train services and have developed specific guidelines, such as Rail Cyber Security: Guidance to Industry, produced by the United Kingdom's Department of Transport.
Policy and standards
Until recently, there were no mandatory policies or standards for managing cyber security. In July 2016, the Victorian Government released the Victorian Protective Data Security Framework (VPDSF) and Victorian Protective Data Security Standards (VPDSS). The VPDSF and VPDSS establish mandatory requirements for protecting public sector data and establish governance arrangements across the domains of information, personnel, information and communication technology (ICT) and physical security. PTV and train operators must comply with the VPDSF and VPDSS requirements by July 2018.
In August 2016, PTV notified train operators of the new requirements and offered annual compliance assessments of their control systems against the VPDSF and VPDSS. PTV requested train operators to:
- assign information security accountability to an executive director
- nominate subject matter experts on control system security
- undertake a security risk profile assessment by June 2017
- develop a protective data security plan by December 2017
- attest to their compliance with the VPDSF and VPDSS by December and June of each year.
Train operators have responded and nominated appropriate executive directors and subject matter experts.
The Rail Industry Safety and Standards Board (RISSB) is responsible for the development and management of rail industry standards in Australia. RISSB is developing a standard to manage control system security risks, which is expected to be published by December 2017. Victoria's train operators are both members of RISSB.
2.3 Public Transport Victoria responsibilities
Under the Transport Integration Act 2010, the main role of PTV is to deliver safe and reliable public transport services. In this role, it needs to effectively oversee the security of control systems by:
- setting up governance arrangements for PTV, train operators and other relevant entities
- defining, documenting and communicating the roles and responsibilities of staff, boards and committees involved in securing control systems
- assigning overall accountability for managing cyber security to a person or group
- regularly reporting to governing boards and committees on control systems and associated security risks.
2.3.1 Strategic direction
Under the Transport Integration Act 2010, PTV is required to develop and implement policies and strategies to improve the safety of passenger services and the security of the public transport system. We found that PTV has not yet developed a cyber security strategy for control systems.
In its Information Technology Strategy: Victorian Government 2016–2020, the government has committed to developing an overall strategy for cyber security by December 2016. This strategy will potentially contribute to the standardised, strategic and coordinated management of control systems.
2.3.2 Coordination and support
Before PTV was established, control systems were managed by the former Department of Transport's Systems and Information Services Division (SISD). Now that SISD has been disbanded, it is not clear who is responsible for managing and supporting control systems, and train operators' activities and projects for control systems have not been coordinated.
In our 2010 audit Security of Infrastructure Control Systems for Water and Transport, we recommended that a security team be set up by the former Department of Transport, comprising suitably qualified and experienced staff who could provide train operators with advice on managing security, risk and business continuity. In this audit, we noted that PTV has only one designated staff role with responsibility for these activities.
PTV has established a new Information and Controls Security Steering Committee, comprising executive management representatives from PTV and train operators. The committee met for the first time on 27 July 2016 but only one out of seven executive management representatives attended. Management from PTV, train operators and other relevant entities will need to be fully engaged and committed to make this committee and the cyber security strategy effective.
2.3.3 Control systems—ownership and responsibility
Control systems are an asset. They must be managed across their life cycle by the asset owner, to ensure they can deliver the intended service. The Victorian Government's February 2016 Asset Management Accountability Framework establishes a set of mandatory requirements and general guidance to ensure assets in the Victorian public sector are appropriately managed.
We identified a lack of understanding about the ownership of control system assets and responsibility for these assets. We noted instances where PTV, train operators and Victorian Rail Track (VicTrack) could not clearly show which agency owned and had responsibility over control systems. This has led to some activities overlapping and some being omitted, including:
- PTV and train operators duplicating frameworks, policies and procedures
- train operators duplicating engineering and maintenance support resources
- limited management of the security of control systems.
2.3.4 Franchise and service agreements
Train services are managed through franchise and service agreements between PTV and the two train operators. These agreements define PTV's responsibilities—including responsibilities that are contracted and/or legislated to train operators—and the requirements for train operators in the delivery of train services. By setting responsibilities and requirements, PTV and train operators can monitor and report on how they are managing and operating control systems, including security.
We reviewed the agreements between PTV and train operators and found that security of control systems is not included as a requirement. As a result, there are no minimum security standards for control systems that train operators need to implement and maintain.
PTV acknowledged this omission and will include control system security requirements in the renegotiated franchise and service agreements. The current service agreement for one train operator is due to expire in December 2016, and the franchise agreement for the other train operator is due to expire in November 2017. Both train operators are currently in negotiations with PTV.
The Victorian Government pays for the maintenance and upkeep of control systems through several funding streams based on activity and asset type. These streams include:
- renewals of control systems—continuous improvement projects to upgrade or enhance control systems are funded as individual projects outside of the franchise and service agreements
- maintenance of control systems—activities to repair and preserve the condition of control systems are funded through an annual funding pool under the infrastructure leases between PTV and train operators
- ICT or business system upgrades—activities to maintain minimum standards of business systems, which are sometimes used to support control systems and conventional office systems, are funded through an annual funding pool under the franchise and service agreements
- telecommunications maintenance and upgrades—partly funded by VicTrack's asset management program and partly paid directly by the train operators under the telecommunications service agreements with VicTrack.
The lack of clarity about which agency owns and has responsibility for control systems has resulted in maintenance of and upgrades to control systems not being a funding priority.
We noted that the Department of Economic Development, Jobs, Transport & Resources (the department) and PTV are reassessing funding options as part of the current renegotiation of franchise and service agreements between PTV and train operators.
2.3.6 Security framework, policies and procedures
A security framework is a series of documented policies and processes that are used to guide management and staff in performing their duties. These policies and procedures should reflect legislative requirements, government policy decisions, agreements and internal requirements. Train operators need to establish effective and comprehensive policies and procedures to secure the control systems they operate.
Under the Transport Integration Act 2010, PTV is required to develop and implement policies and strategies to improve the safety of passenger services and the security of the public transport system.
We note that before this audit PTV had not developed policies or provided guidance to train operators. Instead, we found that effort was being duplicated as train operators had independently started to develop security frameworks, policies and procedures, which were at varying stages of development.
During this audit, PTV has developed a security framework and prepared new security arrangements for train operators, but it has not yet provided formal advice to train operators about these arrangements.
PTV needs to adopt a centralised, coordinated approach to governance to encourage more effective collaboration between PTV and the train operators and set minimum security standards.
2.4 How train operators manage cyber security
2.4.1 Boards of PTV and train operators
Effective cyber security relies on full engagement by all levels of an entity—including a responsibility for the entity's board to set a cyber security strategy and ensure it is implemented.
We noted that the board of PTV has limited oversight of vulnerabilities, threats and risks to control systems. We identified:
- little evidence of reporting on cyber security issues to the board—PTV had only once provided high‑level reporting about cyber security to its board, in April 2016
- limited board involvement in matters concerning the cyber security of control systems.
We also noted that one train operator regularly reports on control system security to its board while the other does not.
2.4.2 Executive management in PTV and train operators
To ensure that cyber security strategy and measures are implemented, all members of an entity must be committed to securing control systems. Security programs with a clear strategy, adequate funding and visible support from executive managers are more likely to function more effectively.
We found that there is no clear responsibility for providing direction or support for the cyber security of control systems at the executive management level within PTV.
Figure 2A provides an example of a cyber attack on Saudi Arabia's national oil and gas firm.
Case study: Cyber attack on Saudi Aramco
On 15 August 2012, the computer network of Saudi Aramco—Saudi Arabia's national oil and gas company—was struck by a virus dubbed 'Shamoon', which infected up to 30 000 of its computers. Saudi Aramco took almost two weeks to recover from the damage.
The virus's main function was to indiscriminately delete data from computer hard drives. Although this did not result in an oil spill, explosion or other major fault in Saudi Aramco's operations, the attack affected the business processes of the company because every computer system was physically unplugged to prevent the virus from spreading further.
Without technology, Saudi Aramco had to manage supplies, shipping, payments and contracts with governments and business partners on paper. The company temporarily stopped selling oil to domestic gas tank trucks. After 17 days, the company relented and started giving oil away for free to keep it flowing within Saudi Arabia. Saudi Aramco's ability to supply 10 per cent of the world's oil was suddenly at risk.
The Shamoon virus also spread to the networks of other oil and gas company, including that of RasGas—Qatar's second biggest liquefied natural gas producer.
Source: VAGO, based on articles from the International Institute for Strategic Studies and Cable News Network.
2.5 Managing risk and compliance
Compliance and risk management are critical and interrelated components of an effective framework of standards and processes for safety and security management.
To manage risk, an entity must assess existing and potential risks, enabling it to mitigate and manage the impact of these risks by implementing new policies and procedures.
To manage compliance, an entity commits to acting within legislative requirements, policies and procedures, to ensure it is acting legally and ethically.
2.5.1 Risk management
Because control systems are the central systems that manage and monitor train movements, PTV and train operators need to have a clear understanding of the risks that may affect these systems, such as potential cyber attacks. The increasing sophistication of cyber attacks means that train control systems are increasingly vulnerable and require protection.
Train operators are required, under franchise and service agreements, to maintain a risk management system that complies with the Australian and New Zealand risk management standard AS/NZS ISO 31000:2009. The train operators had different approaches to assessing control system risks in their broader organisational risk management plans—one operator's plan included control system risks while the other's did not. We also noted that although PTV has a risk management plan, it does not address risks to control systems. This means that PTV and one of the train operators have no risk management strategies or risk registers for control systems.
During this audit, the Acting Auditor-General issued management letters to PTV, outlining a number of issues of concern that have not been included in this report due to their sensitive nature. The Acting Auditor-General recommended that PTV engage with train operators to identify and mitigate risks and address security vulnerabilities. PTV has begun to establish governance processes to address these risk management issues and improve the security of train control systems.
2.5.2 Compliance management
We reviewed the processes used by PTV and train operators to manage compliance. The processes were not robust enough for them to monitor, measure, evaluate and report compliance on performance measures related to control systems.
Train operators are independently identifying controls and requirements for compliance, and implementing processes to address them, without coordination from PTV. Compliance activities should be embedded in day-to-day operations, policies and procedures, but instead they are haphazard and uncoordinated.
Following recommendations from an internal audit, one train operator developed a compliance management framework and compliance obligations register in July 2016, and revised its compliance policy.
2.5.3 Monitoring risk and compliance
The Transport Integration Act 2010 requires PTV to perform audits on public transport infrastructure assets, including control systems. By performing regular audits, PTV will be able to monitor the security of control systems as part of its responsibility to manage public transport infrastructure.
Train operators and PTV should be more active in undertaking audits on the security of control systems. Since its establishment, PTV has only carried out one audit, in January 2016, which evaluated the security framework for control systems of both train operators and itself. Train operators need to implement programs to regularly carry out vulnerability assessments and tests to assess the security of their control systems.
2.6 Management and resolution of audit findings and recommendations
In our 2010 audit, Security of Infrastructure Control Systems for Water and Transport, we made three key recommendations for transport agencies. These included reviewing and implementing security improvements to control systems and setting up a centralised security team to provide advice to train operators.
Since our 2010 audit, machinery-of-government changes have shifted accountability for train control systems and responsibility for resolving the recommendations from our audit. Without a clear process to manage these changes in accountability, the department and PTV could not provide assurance that detailed information from our 2010 audit had been communicated to the train operators. Further, the proposed centralised security team has not been set up.