As part of the State Comptroller's report published today (Tuesday), the field of cyber protection in the Ministry of Transportation was also examined. The examination revealed many failures, the first of which is the fact that the legislation of the government cyber law was not completed, and the arrangement was not completed as part of the work of the inter-ministerial team established in August 2021.
Also, in the last seven years, the Ministry of Transportation has not completed the work of the headquarters to examine the corrections and changes required for the regulation of the cyber sector in the Ministry's areas of responsibility, except in the field of autonomous vehicles.
Therefore, the ministry lacks tools to enforce the various entities (public transportation operators, seaports and airlines) and the cyber protection requirements it is supposed to establish.
"The ministry is not prepared for cyber attacks", Matanyahu Engelman,
The auditor's report also shows that there are still areas in which the ministry does not require cyber requirements to be included in new engagements, even though some of the agreements the ministry signs are for many years. It also emerged that the ministry does not have a centralized mapping of the existing engagements, including the date of their termination, and in any case does not have a record if There are cyber requirements in these contracts.
In 2021, the Ministry of Transportation conducted audits to examine the extent to which some of the bodies met the cyber requirements it introduced.
In the audits, a series of horizontal deficiencies were found, but the ministry did not follow up on the correction of the deficiencies found in these audits.
It also became clear that the manpower resources and the budget necessary for the Ministry of Transportation to fulfill its responsibilities in the field of cyber in the sector are not sufficient: the department employs three workers instead of five, and it was approved for 6.3 million NIS (21%) of the budget that the department requested for the purpose of fulfilling its duties, so it cannot give A response to some of the threats facing him.
Regev and Michali, the current minister and the one who preceded her.
Defects were not addressed, photo: Oren Ben Hakon
Gaps arose between the requirements and what actually reads, illustration, photo: Oren Ben Hakon
Also, 21 of the 35 entities that are planned to be connected to the sectoral information security event monitoring center established by the Ministry of Transportation have not been connected to it and no detailed work plan has been established for their connection.
It was found that the sharing of information in the cyber field between similar entities (such as seaports and systems in the field of transportation) is partial.
It was also found that there is no template for publishing tenders in the cyber field for use by the entities in the sector.
Regarding the urban transportation systems, in the survey conducted by the auditor in ten municipalities and two companies - substantial gaps emerged between the cyber protection status of the systems and the cyber requirements of the Ministry of Transportation.
In addition, from the results of a questionnaire on cyber protection, which was sent to entities that own systems in the field of urban and intercity transportation, it emerged that in the years 2019 - 2021, none of the entities that were tested performed penetration tests, and that 75% of the entities that were tested did not perform risk surveys.
Also, from the results of a questionnaire on the cyber protection of systems in the field of transportation, it emerged that in the years 2019 - 2021, some of the bodies examined did not have a plan to deal with disaster events, including cyber events.
It was also found that a large part of the bodies that were tested do not have a testing environment where software and security updates are tested before they are installed.
It was also found that a large part of the inspected bodies do not have a connection to a specific control system.
The Ministry of Transportation responded: "The Ministry of Transportation has made a significant leap forward in the field of cyber protection. For the first time, a center was established to monitor information security incidents in the transportation industry (SOC Sectors), to obtain a sectoral situational picture. The center includes a connection of all the key factors operating in the industry, including the Ministry, companies The government infrastructure, ports, railways, public transport operators, franchise companies, suppliers, etc. Most of the entities are already in the stages of connecting, and are streaming information to the SOC. This makes it possible to identify potential attack attempts, and to warn similar entities of possible exposure, which will help them prepare and defend themselves.
"In addition, in the past year, the ministry led revolutionary legislation for the autonomous vehicle, which allows experiments to be carried out in a vehicle without a driver and transporting passengers. The law incorporated strict cyber requirements and ministry enforcement and control powers. Furthermore, a national cyber center for smart transportation was established in Be'er Sheva, in cooperation with the national cyber system and leading companies In the economy, the center will allow the ministry to carry out tests and examine the level of cyber protection in vehicles, trains, smart traffic lights and more.
Autonomous vehicle (illustration), photo: GettyImages
"The ministry allocates unprecedented resources in the development of cyber defense capabilities, which include technological infrastructures, the execution of tests and controls, human capital (office employees and external experts), and the development of processes and information in cases of cyber attacks.
Regarding the audit of traffic management and control centers operated and budgeted by the local authorities - we would like to emphasize that the ministry does not have the authority to guide cyber matters over these centers, since the authority of the local traffic sign authority has been delegated to the local authorities."
were we wrong
We will fix it!
If you found an error in the article, we would appreciate it if you shared it with us