Overview
SIS’ industrial cyber security audit services enabled a government statutory authority to benchmark the security posture of state transport agencies, identifying cyber security risks and prioritisation of key actions for risk mitigation.
Challenge
Public transport is deemed an essential service to the public. As such, the infrastructure and the control systems used to control and monitor this infrastructure are considered critical by government. It is therefore crucial to ensure public transport systems are resilient and sustainable in times of adversity, protected from unauthorised access to critical systems and to allow essential services to be safely delivered and operated.
The convergence of operational technology (OT) and information technology (IT), and the increase in cyber security threats, requires the presence of an effective security control and resilience framework. A security framework for public transport needs to be capable of managing the risks associated with any potential hazards, including safety hazards, to existing and new systems.
A state government statutory authority responsible for providing, coordinating and managing all metropolitan and regional train, tram and bus services, engaged SIS to audit the performance of agencies operating public transport. The audit objective was to determine the effectiveness of each agency’s security framework (security systems, security processes, and security assurance activities), and to identify areas of risk in delivering public transport as an essential service to the State.
Solution
SIS’ audit methodology evaluated and benchmarked each agency against industrial cyber security industry standards, to identify gaps in security capability. This enabled the statutory authority to baseline security framework requirements and to measure the capability and maturity of each agency in managing cyber security risks to essential services.
Outcomes from the audit allowed public transport operators to focus on high-risk areas, and to prioritise remedial actions and investment to mature the security posture of critical systems and processes, as part of a continuous enterprise risk management process, encompassing security.
If you’d like to know more about our many years of experience in providing industrial cyber security solutions: