TTC failed to file cybersecurity report, raising questions about its ability to defend itself against hackers | #government | #hacking | #cyberattack


Two years before the TTC was hit by a ransomware attack that knocked vital communication systems offline and may have compromised the personal information of thousands of its employees, city council directed the transit agency to assess its networks for cybersecurity risks, and draft a plan to shore up its defences.

The TTC and other arm’s-length city agencies were told to submit their cyberthreat assessments and security strategies to the city by the end of 2020. According to the city, none of them did.

Neither the city nor the agencies involved have provided a clear explanation why. The missing reports raise questions about whether Toronto and the organizations it oversees have been doing enough to protect themselves from the growing threat of potentially devastating cyberattacks.

Coun. Paul Ainslie, who chairs the city’s general government and licensing committee, expressed surprise the assessments from municipal agencies, boards, and commissions (ABCs) never materialized, and said the issue was particularly concerning in light of the hack at the TTC.

“I hope it’s not the tip of the iceberg. Every ABC needs to take cybersecurity seriously. ABCs’ IT departments and staff can’t be operating in isolation. It will haunt them,” said Ainslie (Scarborough-Guildwood).

City spokesperson Marcela Mayo said the agencies “have not advised us of a reason for not being able to submit the assessment by the given timeline.” In a statement, TTC spokesperson Stuart Green also didn’t provide details of why the assessment wasn’t done.

But Green said the TTC is currently working on a new cybersecurity assessment process the city started this summer, and “there is no connection” between the timing of that work and the ransomware attack the agency suffered two weeks ago.

The TTC “continues to follow established best practices when it comes to cybersecurity protections” and “we are continually assessing and upgrading security systems to minimize risk,” Green said.

The Star has seen no evidence that TTC completing the assessment as directed would have prevented the ransomware attack it suffered last month.

The security breach that began Oct. 28 shut down the system TTC transit control uses to communicate with its operators, the Wheel-Trans online booking system, next vehicle arrival information and the TTC’s email network. The agency has partially restored affected systems, but the agency announced Nov. 8 the hackers may have stolen the personal information of up to 25,000 current and former employees.

Council’s directive requiring agencies to assess their networks came months after the city’s auditor general sounded the alarm that Toronto needed to step up efforts to protect itself from sophisticated cyberthreats. In June 2019, Auditor General Beverly Romeo-Beehler warned that municipalities were increasingly being targeted by hackers, and subsequently revealed that two Toronto “city entities” had reportedly already suffered minor ransomware attacks.

In October 2019, councillors directed the TTC and other agencies to submit security assessments by the third quarter of 2020, and to follow up with a plan to address any risks by the fourth quarter that year. The goal was to give the city a comprehensive overview of the threats it was facing, and to co-ordinate a response among its various divisions and arm’s-length agencies.

“With the level of services, extent of personal data, and the critical infrastructure the city supports, the city of Toronto must do all it can to protect its systems against cyberattacks … A single breach could have a devastating impact,” said the auditor’s October 2019 report.

In addition to the TTC, council’s directive applied to the Toronto Parking Authority, Toronto Zoo, Exhibition Place, Toronto Community Housing and other municipal agencies. Spokespeople for the organizations told the Star they take cyberthreats seriously and are co-ordinating with the city on security plans. Some said the pandemic had delayed the original assessment.

Green, the TTC spokesperson, didn’t cite COVID as a factor. But he said since 2019 the agency had taken steps to protect itself independent of the council-led process, and was working closely with the city. The agency presented its board with an updated cybersecurity strategy in June 2020, and reported at that time it had spent $1.3 million on defence initiatives, and was conducting regular security audits.

The TTC and other agencies are now working through a new cybersecurity assessment the city launched in August. Asked why it had taken more than 11 months after the original deadline to begin a new assessment, city spokesperson Brad Ross said that “as the city and its agencies were managing the pandemic, priorities needed to understandably shift.”

Ross said agencies are “accountable for their own cybersecurity,” but the city “does collaborate with all ABCs to assist and advise where appropriate on these important matters.”

The relaunch of the assessment came one month after yet another auditor report that warned many of her previous cybersecurity recommendations still hadn’t been implemented.

It also followed a change in the office of the official in charge of cybersecurity at the city. Kush Sharma was appointed Toronto’s first chief information security officer in October 2019, but departed in May 2021 after less than two years.

Ross declined to discuss why Sharma left city hall, saying the city couldn’t comment on personnel matters. Sharma also declined to comment.

Coun. Jaye Robinson (Don Valley East), who chairs the TTC board, said she wasn’t troubled that the transit agency never completed the original assessment because she was confident the organization never lost focus on cybersecurity.

She said that while it’s impossible to be fully protected against hackers whose tactics are always evolving, TTC staff and outside experts it has contracted “have worked quickly to contain and mitigate” the ransomware breach.

“We’re doing well I think, given the level of this attack,” she said.

With files from David Rider

Ben Spurr is a Toronto-based reporter covering transportation for the Star. Reach him by email at bspurr@thestar.ca or follow him on Twitter: @BenSpurr

JOIN THE CONVERSATION

Conversations are opinions of our readers and are subject to the Code of Conduct. The Star does not endorse these opinions.





Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

fifty seven + = sixty four