Hackers could infiltrate Sydney's traffic light network and cause accidents or road chaos, an official investigation has found, raising serious doubts over the preparedness of the state's vital infrastructure to ward off cyber attacks.
The technology controlling Sydney's water supply and sewers should also be more secure, and the privatisation of water treatment hampers checks on cyber security, the probe by NSW Auditor-General Grant Hehir found. He called on government operators of other critical infrastructure to heed the lessons learnt.
Recent cyber attacks on Sony Pictures in Hollywood and the US military's Twitter and YouTube accounts have highlighted the threat posed by cyber criminals.
Such attacks in Australia are not unheard of. In Queensland in 2000, a disgruntled computer expert hacked into Maroochy Shire sewerage system and released raw sewage into parks and waterways.
The Auditor-General's findings released last week assessed the security of systems managing the state's roads, in particular its 4000 sets of traffic lights.
He found that the systems managing traffic signals "are not as secure as they should be".
"There is the potential for unauthorised access to sensitive information and systems that could result in traffic disruptions, and even accidents," the report said.
Devices are in place preventing simultaneous green lights or green-yellow lights at intersections. However, traffic lights could still be disabled entirely, including through physical tampering of roadside controls.
A security plan in place for the Transport Management Centre, where the state's roads are centrally monitored, does not extend to the whole traffic light system.
A Transport for NSW spokesman noted the "opportunities to improve" its systems. The agency implemented best-practice controls and "only a select few staff, with high-level clearance, have access to the traffic light system", he said.
The report also probed Sydney Water, which manages the city's water supply and sewage, and found controls preventing IT security breaches were "not as effective as they could be". However, the state-owned corporation was well placed to respond to security incidents if they occurred.
The Auditor-General said he was prevented from gauging security at the privately operated Prospect water treatment plant, which produces a large proportion of Sydney's water supply, because his mandate did not extend to third parties. This is despite calls by a parliamentary committee in 2013 for an extension of audit powers.
There is the potential for unauthorised access to sensitive information and systems that could result in traffic disruptions, and even accidents
A Sydney Water spokesman said it "takes system and site security very seriously" and third parties are subject to stringent security obligations.
"We acknowledge that there is room for improvement, and learnings from the report will be used to develop more resilient systems," he said.
NSW Labor's water spokesman Peter Primrose said the privatisation of water and other services had created a "corporate veil of secrecy".
"People rely on these services and they should be accountable to the public through the Auditor-General and the Parliament," he said.