In 2022 Cyber Security NSW made notable achievements towards its vision of a cyber-secure NSW Government. Among a host of other accomplishments, this included steady progress in outreach to local councils, leadership in major cyber security incidents affecting NSW Government, and ongoing assistance to help the state recover from the massive data breaches of 2022.
As a whole-of-government function, Cyber Security NSW has a broad portfolio of customers which includes NSW clusters, agencies and local councils. We tailor the products, services and best practice guidance and advice that we provide to ensure our approach to improve the cyber resilience of NSW Government entities is integrated, risk-based and meaningful.
Intermedium’s Government Cyber Security Readiness Report 2022 ranked the NSW Government second in Australia: “As with the Federal Government, NSW was already approaching a perfect score in the index in 2020. Its new or enhanced activities increased its score by 0.4 in 2022.” We know cyber security is not something you can simply achieve, it requires ongoing investment, effort and progress.
The NSW Government’s next phase of cyber security uplift will move beyond a singular focus on maturity levels and compliance and look to improve the management of risk and enhance cyber security capability holistically. This includes shifting from a narrow approach of cyber security maturity, to ensure that risk and the individual risk profile of each NSW Government entity is considered. We have more on what’s informed this approach and how we are actioning this below.
Cyber Security NSW’s programs and initiatives also execute our strategy and objectives and align with our vision of ensuring a cyber-secure NSW Government.
Cyber Insights Series underscores need for risk-based approach
The past year demonstrated the urgent need for the cyber security industry to work together to develop solutions that can overcome the common challenges faced by the public and private sectors.
In 2022 Cyber Security NSW held the inaugural Cyber Insights Series with the Minister for Customer Service Victor Dominello, cyber security experts as well as leaders from government, business and academia. This series of roundtables tackled key, industry-wide issues and contributed to Cyber Security NSW’s strategic objective to provide coordinated leadership for best practice cyber security guidance and advice.
The Cyber Insights Series: Beyond Essential Eight session was particularly insightful. It aimed to ensure the NSW Government is across industry best practice for cyber security frameworks. A recurring theme throughout the discussion was no one framework could serve as the “be all and end all” for robust cyber security. Rather, it is crucial each organisation pursues cyber security uplift that considers their own risk profile and resources. The conclusion was that a rigid understanding of maturity as a linear process does little to support the prioritisation of resources, funding and effort into meaningful and targeted cyber security uplift.
Collaborating with NSW Government entities to manage individual risk profiles
After review and analysis, Cyber Security NSW determined it is most effective for compliance and assurance to be undertaken by the internal audit teams of NSW Government clusters and agencies, as they should be auditing against the NSW Cyber Security Policy self-assessments. To reduce duplication and burden on entities we ceased our compliance and assurance programs in June 2022.
Following analysis of these initial assurance efforts and consultation with our stakeholders, we created the Cyber Insights Panel, a first of its kind in Australia, which enables Cyber Security NSW to have risk-based discussions with the senior executives and leaders of NSW Government clusters and agencies, using evidence and data to identify specific cyber risks, issues and opportunities. This aligns with our objective to provide coordinated leadership for best practice cyber security guidance and advice across NSW Government.
Championed by the NSW Government Chief Information and Digital Officer Laura Christie, the Cyber Insights Panel provides an opportunity to inform NSW Government leaders’ approach to cyber resilience and gives Cyber Security NSW greater awareness of the capabilities and services required to support whole-of-government cyber security uplift.
The Cyber Insights Panels will be an important area of focus for Cyber Security NSW in 2023.
NSW Cyber Security Policy
Work is well under way on the new NSW Cyber Security Policy, which will be released on 1 July 2023 for the Financial Year 2023-24 reporting period. Consistent with recommendations from the Audit Office of NSW, this will include an assurance methodology to assist NSW Government agencies in consistently assessing and reporting their compliance with the Policy. In addition, it will provide greater clarity on cyber security maturity and uplift strategies.
Since 2019 the Policy has provided a strong guiding framework to help entities navigate their cyber security maturity uplift, outlining mandatory requirements focused on enhancing planning and governance, developing a cyber security culture, strengthening resilience against attacks, improving reporting and implementing the Australian Cyber Security Centre (ACSC) Essential Eight technical controls. Each year, all NSW Government agencies are required to submit reporting on their maturity against the Policy, which is then analysed by Cyber Security NSW.
Mandatory requirement maturity scores assessed in the Policy continued to improve in Financial Year 2021-22. This reflects the growing investment and prioritisation of cyber security uplift among NSW clusters and agencies.
To further support entities with implementation of the Policy, Cyber Security NSW released the Cyber Security Uplift toolkit in December. This toolkit incorporates recommendations from the Audit Office of NSW, an independent review of the Policy, and feedback from clusters and agencies on issues they are facing in improving maturity scores. We have received overwhelmingly positive feedback for this new resource.
Also in December, the Office of Local Government, in cooperation with Cyber Security NSW, released cyber security guidelines for NSW local government to help local councils assess and uplift their cyber security maturity.
Funding remains a key challenge of meeting the Policy for many NSW Government entities. Cyber Security NSW reviews Digital Restart Fund submissions to help entities obtain further funding for cyber security initiatives, assessing 23 such submissions in 2022.
Responding to the Log4Shell vulnerability
We started 2022 dealing with the fallout of the Log4Shell vulnerability, which saw a proof-of-concept code published for a remote code execution vulnerability in the open-source Java logging library, Log4j.
The ACSC estimated more than 100,000 enterprise, open-source and in-house developed software solutions may contain Log4j. In addition to the large attack surface, exploitation of the vulnerability is relatively simple and allows threat actors to conduct a range of malicious activities.
As a result, we coordinated the NSW Government response. This included:
- disseminating ongoing advisory and intelligence products
- holding meetings with stakeholders to ascertain capabilities and patching status, and
- hosting information sessions to help councils.
Several NSW Government entities observed scanning activity and exploitation attempts, with some taking entire systems offline as a precautionary measure until patches had been released, tested and implemented.
Proactive intelligence and immediate response
Following the Log4Shell vulnerability, Cyber Security NSW had a busy year monitoring the international, national and state cyber security landscape, and disseminating intelligence to ensure the NSW Government is prepared to respond to cyber threats. We also provided immediate intelligence support to NSW Government entities impacted by cyber security incidents to safeguard the continuity of public services. This aligns with Cyber Security NSW’s objective to be proactive in managing cyber security risks and threats.
From September, teams were busy working with national and state partners to help monitor, produce intelligence and provide assistance with the Optus and Medibank data breaches. The aim was to understand the breadth and depth of potential impacts to NSW Government and residents, and work with partner agencies such as ID Support NSW by obtaining and analysing large datasets.
During the course of the year, Cyber Security NSW disseminated almost 300 intelligence products and summaries, including alerts, advisories, briefs, reports and lists of new and exploited vulnerabilities to stakeholders across NSW Government and local councils, to proactively inform them of existing and emerging cyber threats and their potential impacts. Beyond our NSW Government stakeholders, we have established intelligence-sharing relationships with law enforcement and cyber agencies across Australia. This demonstrates how Cyber Security NSW is providing coordinated cyber security advice across government and beyond, per the NSW Cyber Security Strategy.
In late 2022 we conducted a full review of our intelligence outputs, simplifying our product suite and structure to improve the quality, format and delivery of cyber intelligence. This will ensure our outputs are fit-for-purpose and can drive decision making across tactical, operational and strategic spheres.
We engaged more than 140 entities across NSW Government, the Australian Government, law enforcement and the private sector in response to cyber incidents and breaches that either directly impacted or had the potential to impact NSW Government and residents. This involved providing technical advice, forensic analysis, data analysis, intelligence, as well as dark web and open-source monitoring.
Cyber Security NSW is committed to fulfilling its objective of instilling a cyber security risk culture and being proactive in managing cyber security risks and threats.
NSW Government Cyber Threat Report
Cyber Security NSW produced the first NSW Government Cyber Threat Report in 2022, which analysed every cyber event and incident reported by NSW Government entities in Financial Year 2021-22, as well as trends across the global and local threat environment. The vast scope of this work allowed us to develop comprehensive intelligence holdings and learnings that will guide the NSW Government’s future cyber security initiatives and investment.
Our analysis supported global findings that phishing and credentials harvesting contributed to a significant number of incidents. Furthermore, social engineering tactics were used in more than half of incidents. This data suggests cyber security awareness training should be a top priority for leadership teams.
The 2022 NSW Government Cyber Threat Report* highlighted a host of emerging trends, such as the Russia-Ukraine conflict, which has seen cybercriminals, hacktivists and state-sponsored actors leverage the geopolitical environment for political, financial and ideological motives.
* As this is a sensitive document, dissemination has been restricted to a limited audience, including the security teams of NSW Government entities and a select number of Australian Government partner agencies.
Raising cyber security awareness
The human element remains the weakest link in cyber security and we have been working to mitigate this risk. Cyber Security NSW’s strategic objective is to instil a cyber risk culture across government by educating staff on the importance of cyber security. To this end, we provided more than 38 NSW clusters, agencies and councils with cyber security awareness training e-modules, with 153,036 staff completions in 2022.
Throughout the year we delivered a variety of government-wide cyber security training and awareness services to NSW Government agencies and local councils. We held 73 live training sessions more than 86 hours for some 3991 NSW Government staff. Staff who participated in these sessions initially had a cyber awareness score of 86% across key indicators, which lifted by 11% to 97% following attendance of the training.
We collaborated with 15 agencies and departments to tailor 45 new e-modules, which included designing training for 28,000 staff working on the 2023 State Election, as well as an e-module to help staff work securely when overseas.
In 2022 Cyber Security NSW developed and released a self-deliverable live cyber security awareness session deck and accompanying guidance. The product was shared 11 times with NSW Government agencies, as well as with the Northern Territory Government, to support the development of their awareness training.
We held our largest whole-of-government capture-the-flag (CTF) event to date, with more than 280 public sector employees participating. The CTF challenges focused on real-world problems and built an understanding of:
- digital forensics and incident response
- open-source intelligence
- cryptography and obfuscation
- enumeration and vulnerability identification
NSW Government CTFs are designed for all skill levels, including beginners, and are open to staff from NSW Government and other Australian government jurisdictions.
To help local NSW Government entities test and hone their response to a cyber incident, Cyber Security NSW delivered functional exercises for 9 councils. We also established an exercise-as-a-service offering that delivered 4 exercises and received 13 further expressions of interest.
We partnered with Training Services NSW to launch a cyber security traineeship pilot program. Looking to wider-scale training and development opportunities, Cyber Security NSW has started strategic partnership discussions with the Institute of Applied Technology Digital.
In 2021 one of our greatest successes was providing a domain-based messaging authentication, reporting and conformance (DMARC) tool to all agencies, to help ensure NSW Government remains a trusted sender of emails. In 2022 we made significant progress in providing this to local councils as well. We were able to brief all local councils and local government entities on DMARC and are assisting many of them with implementation.
We have continued to assess the vulnerabilities of, and cyber risk to, NSW Government entities, notifying them of numerous vulnerabilities for remediation. This initiative is another way in which Cyber Security NSW is working to improve the resilience of government services, systems and infrastructure to cyber threats.
In 2022 a regular cadence of Internet-Facing Vulnerability Reports began for NSW local government, with the team working to provide a report every six months. This is one way in which Cyber Security NSW is collaborating with local government to understand and consider cyber security risks and leverage insights. Several critical findings have been identified and additional services have followed.
The Health Check service expanded in 2022 to cover 5 of the 8 controls, covering application control, patch applications, patch operating systems, multi-factor authentication and regular backups. As a result, we identified 14 quick wins, 15 short-term opportunities, 10 long-term opportunities and 15 other opportunities.
Cyber Security NSW also implemented a system to uncover passwords in agency and council Windows networks, and provided remediation advice to entities. We found that more than 77,000 accounts across 14 entities were using passwords previously seen in data breaches.
The ACSC embarked on their REDSPICE program designed to reduce risk across all levels of government. Cyber Security NSW started working with the ACSC on this program to facilitate and participate in this program for NSW Government agencies.
To address third-party risk, we reviewed whole-of-government contracts to ensure cyber security is properly addressed in these. This aligns with Cyber Security NSW’s strategic objective to promote clear roles and responsibilities across cyber security, privacy, safety, and resiliency for NSW Government agencies and external partnerships.
Cyber Security NSW has a team based in Bathurst that detects and monitors cyber security vulnerabilities across NSW Government, enabling early remediation before they can be exploited by malicious threat actors. In 2022, some 42 reports were produced from scanning and vulnerability intelligence activities, with more than 22,000 vulnerabilities detected during on-request external scans. During 2022, the vulnerability identification team detected and reported 23 sensitive information disclosures.
Following the launch of our penetration testing services in 2021, we performed 16 penetration tests for councils and agencies in 2022.
We continually monitor 985 NSW Government websites for website defacement attacks and in 2022 detected one domain takeover of a council website.
In 2022 we piloted a continuous internal vulnerability monitoring service for councils, with 4 successfully onboarded. In addition, 560 monitoring agents were deployed across 5 councils, allowing them to self-monitor internal assets for vulnerabilities. The work completed by the vulnerability detection team correlates with Cyber Security NSW’s objective to be proactive in managing cyber security risks and threats.
Beyond its core mandate, Cyber Security NSW’s vulnerability detection team regularly participates in regional events to raise cyber security awareness in these communities. In 2022 the centre participated in 3 educational events for regional schools and hosted 5 work experience students.
Reporting and metrics
Another service Cyber Security NSW offers to improve NSW Government entities’ management of cyber risk is through the Cyber Portal, a highly customisable information collection and collation reporting tool that enables deeper data analysis of cyber security metrics.
While the tool was rolled out to NSW Government clusters in mid-2021, in 2022 we continued to enhance its functionality based on the changing needs of cyber security and provide ongoing quality of life updates. The tool will be extended to additional agencies and councils in 2023 for broader data collection and analysis for NSW Government. Once integrated across NSW Government, the Cyber Portal will become the central customer-facing interface to Cyber Security NSW.
In addition to making solid progress on the new NSW Cyber Security Policy, and nearing finalisation on the updated NSW Cyber Security Emergency Sub Plan and the NSW Cyber Incident Response Arrangements, we have also started work on other major initiatives. Notably, we recently published the Cyber Security NSW Service Catalogue, which showcases the wide range of products and services available to support NSW Government entities, and we have plans to work more closely with local councils across the state.
This work is only made possible by the skilled and dedicated teams of Cyber Security NSW and our close working relationships with other NSW Government entities and our state, territory and Commonwealth partners. Increasing our outreach to NSW Government entities, particularly local councils, will be a key focus for us in 2023.
Please reach out to firstname.lastname@example.org if you would like to find out more about what we do and how we can assist you.