Security risks to control systems have increased significantly in recent years. Around the world, public and private sector systems have faced unprecedented and escalating cyber threats to the security of information.
Global information security policies and standards are based on the International Organisation for Standardization ISO 27000 series of standards, which provide best practice recommendations on risks and controls as part of an overall information security management system. Other relevant industry standards include ISA/IEC 62443 from the International Society of Automation, and NIST SP 800-53 Revision 4, published by the National Institute of Standards and Technology.
We assessed the two passenger train operators' cyber security of control systems against a security framework based on industry standards—a series of documented processes used to define policies and procedures for implementing and managing information security controls. We also looked at the security configuration of train operators' control systems.
The security frameworks that train operators have in place do not adequately safeguard the control systems that operate train services. The security controls used to identify, prevent, detect and respond to cyber threats are not able to prevent unauthorised access to the operators' control systems.
We identified serious security vulnerabilities in the control systems, which could expose them to cyber threats.
We notified Public Transport Victoria PTV and the train operators about the security vulnerabilities we identified, and they have accepted the identified weaknesses. The train operators have reviewed the security vulnerabilities and have either developed or are currently developing remediation plans to address these risks and weaknesses.
3.2 Cyber security framework
A cyber security framework defines the policies and procedures that an organisation uses to implement and manage its information security controls. The framework acts as a foundation for building an information security program that:
- mitigates risks
- reduces vulnerabilities
- defines and prioritises the tasks required to integrate cyber security into an entity.
Train operators' security over control systems was measured against the ISO/IEC 21827:2008 Systems Security Engineering—Capability Maturity Model. This model assesses the maturity of control system security on the following scale:
- not performed—incomplete processes
- performed informally—ad hoc processes and success that depend on individual efforts
- planned and tracked—plans developed and processes in place to track performance
- well defined—processes documented, standardised and integrated
- qualitatively controlled—processes are qualitatively measured, understood and controlled
- continuously improving—quantitative feedback used to continuously improve the process.
Figure 3A summarises the results of the assessment of train operators using this framework.
Capability maturity model assessment
The results indicate that train operators' security frameworks for control systems are at low levels of maturity. Specific elements assessed in the cyber security framework are discussed below.
Security awareness training is the formal process for educating employees about security. This training helps employees to apply organisational policies and procedures and alert managers to compliance matters and breaches. Security awareness training can foster a strong security culture through general awareness, education programs and staff training.
Train operators' security awareness training programs for physical security and general awareness are reasonable—enough training is in place to provide employees with a basic awareness of physical security matters and the appropriate responses to them.
However, we found that:
- train operators' security awareness training programs do not cover security of control systems
- there is little evidence of train operators preparing broader strategies to educate and raise employees' security awareness
- there are no forums to share knowledge about control systems between train operators and PTV.
Security monitoring is a key process that enables train operators to detect and prevent security incidents. Intrusion detection systems monitor events on a network to identify unusual traffic patterns or changes to critical operating files. These events might include system or network activities such as login attempts or file access attempts. Intrusion prevention systems take intrusion detection one step further by automatically acting to stop detected cyber attacks.
Train operators should improve their ability to detect and prevent cyber attacks.
Service continuity and restoration
An effective control system has a 'high availability' requirement—it needs to be durable and likely to operate continuously without failure for a long time. One way for train operators to achieve high availability is to have emergency response and contingency plans they can execute during a disaster such as a system outage.
Emergency response and contingency plans provide information on how a specific business function or operating site can be re-established after a disaster, such as in an alternative operating location. These plans should be reviewed and updated and tested regularly to ensure that they continue to meet objectives.
Train operators should improve their emergency response and contingency plans as well as the capability of their disaster recovery sites.
User access management
User access management relates to managing access to systems, including how access is approved, revoked and periodically reviewed to ensure that it is in line with staff roles and responsibilities. The main objective of managing user access is to maintain the confidentiality, integrity and availability of systems and data.
Weaknesses in user access management controls can result in inappropriate and excessive privileges being assigned to users, which could give them unauthorised access to control systems.
Train operators should improve their user access management processes and controls to better restrict and manage which users can access their control systems.
The objective of change management is to ensure that changes to a computer system or its environment are appropriate and preserve the integrity of the underlying system and data. Weaknesses in change management can lead to an increased risk of unauthorised changes being made to systems and data, which could affect their availability and integrity.
Train operators should improve their change management processes and controls to better manage the integrity of control systems.
A patch is an additional piece of software that vendors release to fix specific flaws in software or systems. Security vulnerabilities are flaws that can be exploited to gain unauthorised access to systems or to make inappropriate use of software. Periodic patching aims to improve the security of systems by reducing the number and likelihood of vulnerabilities being exploited.
Train operators should improve their patch management processes and controls to actively manage the vulnerabilities in their control systems, through periodic and timely patching.
3.3 Vulnerability assessment of control systems
Vulnerability assessment is a process that defines, identifies and classifies the security weaknesses in a computer system and tests its ability to identify, prevent, detect and respond to cyber attacks.
Figure 3B provides an example of a cyber attack on Ukrainian power companies.
Case study: Cyber attack against Ukrainian critical infrastructure
On 23 December 2015, Ukrainian power companies experienced unscheduled power outages for several hours, affecting approximately 225 000 customers in Ukraine. This outage was caused by remote cyber attacks at three regional electric power distribution companies. Although power was eventually restored, all three regional electrical power distribution companies continue to run under constrained operations.
The cyber attacks were reportedly synchronised and coordinated—they occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber attacks, the hostile actors used remote administration tools to perform malicious remote operation of control systems and critical infrastructure. The companies believe that the hostile actors acquired legitimate credentials prior to the cyber attack to facilitate the remote access.
All three companies indicated that the hostile actors corrupted the systems at the conclusion of the cyber attack, rendering them inoperable. At the same time, the hostile actors overwhelmed the companies' call centres with automated telephone calls, affecting their ability to receive outage reports from customers and frustrating the companies' response efforts.
Source: VAGO, based on information from the United States Department of Homeland Security.
As part of this audit, we appointed an independent specialist to help carry out a vulnerability assessment of the train operators' control systems. The specialist evaluated the control systems' technical controls, and found several deficiencies in their security, mainly in network security, remote access security and legacy operating systems.
Network separation is one of the most effective ways an organisation can mitigate cyber threats. Separating networks can increase cyber security by reducing the number of connections within a computer system, which can deter or prevent access to critical resources and information.
Our vulnerability assessment showed that train operators need to strengthen their network security design.
Remote access security
Remote access is used to give a trusted user or vendor access to the control system or network from a remote location. If not properly secured, remote access can provide a 'back door' entry for a hostile actor into the control system or network.
Our vulnerability assessment showed that train operators need to strengthen the security of their remote access.
Legacy operating systems
Periodic patching is aimed at improving the overall security of systems by reducing the number of vulnerabilities and the likelihood of exploitation.
Our vulnerability assessment showed that train operators need to strengthen their periodic patching of operating systems and applications within their control system environment.
3.4 Addressing cyber security vulnerabilities
During this audit, the Acting Auditor-General issued management letters to PTV outlining the findings of our assessment against the cyber security framework and our assessment of control system vulnerabilities. We sought assurance that consequent risks had been identified and assessed and, where necessary, that risk management processes have been put in place. The Acting Auditor-General asked PTV to work with train operators to identify remediation actions and specified time frames for these actions. PTV responded, outlining its intended actions and time frames.
We will periodically examine whether these findings are being addressed within an acceptable time frame. At our discretion, we may report to Parliament on PTV's progress.