TTC was unable to submit a cybersecurity report, raising questions about its ability to defend itself against hackers.

Two years before the TTC was hit by a ransomware attack that shut down vital communication systems and may have compromised the personal information of thousands of its employees, the city council ordered the transit agency to evaluate its networks for risks of cybersecurity and write a plan for the coast. raise your defenses.

The TTC and other independent city agencies were asked to submit their cyber threat assessments and security strategies to the city by the end of 2020. According to the city, none of them did.

Neither the city nor the agencies involved have provided a clear explanation why. The missing reports raise questions about whether Toronto and the organizations it oversees have been doing enough to protect themselves from the growing threat of potentially devastating cyberattacks.

Coun. Paul Ainslie, who chairs the city’s general government and licensing committee, expressed surprise that the assessments by municipal agencies, boards and commissions (ABC) never materialized, and said the problem was particularly concerning in light of the attack. to the TTC.

“I hope it is not the tip of the iceberg. Every ABC must take cybersecurity seriously. IT departments and ABC staff cannot operate in isolation. It will haunt them, ”said Ainslie (Scarborough-Guildwood).

The city spokeswoman, Marcela Mayo, said that the agencies “have not informed us of a reason for not being able to send the evaluation in the established term.” In a statement, TTC spokesman Stuart Green also did not provide details of why the assessment was not conducted.

But Green said the TTC is currently working on a new cybersecurity assessment process that the city started this summer, and there is “no connection” between the timing of that work and the ransomware attack the agency suffered two weeks ago.

The TTC “continues to follow established best practices when it comes to cybersecurity protections” and “we are continually evaluating and updating security systems to minimize risk,” Green said.

The Star has seen no evidence that TTC by completing the assessment as instructed would have prevented the ransomware attack it suffered last month.

The security breach that began on October 28 closed the system that TTC’s traffic control uses to communicate with its operators, the Wheel-Trans online reservation system, the arrival information of the next vehicle and the email network. by TTC. The agency has partially restored affected systems, but the agency announced on November 8 that hackers could have stolen the personal information of up to 25,000 current and former employees.

The city council directive requiring agencies to evaluate their networks came months after the city’s auditor general sounded the alarm that Toronto needed to step up efforts to protect itself from sophisticated cyber threats. In June In 2019, Auditor General Beverly Romeo-Beehler warned that municipalities were increasingly targeted by hackers and subsequently revealed that two Toronto “city entities” had reportedly already suffered minor ransomware attacks.

In October 2019, councilors directed TTC and other agencies to submit security assessments by the third quarter of 2020 and to follow up with a plan to address any risks by the fourth quarter of that year. The goal was to provide the city with a comprehensive overview of the threats it faced and coordinate a response among its various divisions and independent agencies.

“With the level of services, the scope of personal data and the critical infrastructure that the city supports, the City of Toronto must do everything possible to protect its systems against cyberattacks … A single breach could have a devastating impact.” the October 2019 auditor’s report said.

In addition to the TTC, the council’s directive applied to the Toronto Parking Authority, Toronto Zoo, Exhibition Place, Toronto Community Housing, and other city agencies. Spokespersons for the organizations told the Star that they take cyber threats seriously and are coordinating security plans with the city. Some said the pandemic had delayed the original assessment.

Green, the TTC spokesman, did not cite COVID as a factor. But he said that since 2019 the agency had taken steps to protect itself regardless of the council-led process and was working closely with the city. The agency presented its board of directors with an updated cybersecurity strategy in June 2020 and reported at the time that it had spent $ 1.3 million on defense initiatives and was conducting regular security audits.

The TTC and other agencies are now working on a new cybersecurity assessment that the city released in August. When asked why it had taken more than 11 months after the original deadline to begin a new assessment, city spokesman Brad Ross said that “as the city and its agencies were handling the pandemic, it was understandable that priorities will change. ”

Ross said the agencies are “responsible for their own cybersecurity,” but the city “works with all ABCs to assist and advise where appropriate on these important issues.”

The re-release of the assessment came a month after another audit report that warned that many of its previous cybersecurity recommendations had yet to be implemented.

It also followed a change in the office of the official in charge of cybersecurity in the city. Kush Sharma was appointed Toronto’s first chief information security officer in October 2019, but left in May 2021 after less than two years.

Ross declined to discuss why Sharma left city hall, saying the city could not comment on personnel matters. Sharma also declined to comment.

Coun. Jaye Robinson (Don Valley East), who chairs the TTC board, said he was not concerned that the transit agency never completed the original assessment because he was confident the organization never lost focus on cybersecurity.

He said that while it is impossible to be fully protected against hackers whose tactics are always evolving, TTC staff and the external experts it has hired “have worked quickly to contain and mitigate” the ransomware breach.

“We are doing well, I think, given the level of this attack,” he said.

With files from David Rider

Ben Spurr is a Toronto reporter covering Star transportation. Contact him by email at [email protected] or follow him on Twitter: @BenSpurr



Reference-www.thestar.com

Leave a Comment