Around a third of servers at Transport for New South Wales, the public transport department in Australia’s largest most populous state, need security patches, some dating back to 2007. But IBM, which provides IT services to the agency, doesn’t have enough people dedicated to the job to get it done in the planned time frame or in a manner that will let the agency operate as it desires.
The Register understands that Transport for New South Wales (TfNSW) runs a mixed fleet of AIX, Solaris, Red Hat Linux and Windows servers, all of which need patching. It is unclear what applications run on the un-patched servers, or their sensitivity, but TfNSW has mobilised an effort to quickly catch up on its patching.
IBM, however, has found itself with just a “skeleton crew” at the agency due to personal circumstances and staff being moved to other, higher-priority jobs. The company has therefore not been able to implement all of TfNSW’s desired changes or keep up with its client's requests, leaving many servers without patches. Some of the fixes were released as far back as 2007. We understand IBM is not responsible for the tardy patching effort.
Transport for New South Wales told to stop tracking oldies, studentsREAD MORE
Sources tell The Register IBM has called for teams working at other clients to lend staff to sort things out at TfNSW, as while offshore labour will be involved it can only do so much when on-premises mission-critical servers require reboots. The request for help is an offer other teams dare not refuse.
IBM’s therefore tried to find specialists in all the operating systems mentioned above, preferably with patch-preparation expertise, for a few weeks work. Whoever is recruited is in for a torrid time: we’re told midnight shifts and weekend work will be required as change windows are scheduled beyond business hours.
An IBM spokesperson told The Register such shout-outs for assistance are not unusual. "IBM shifts resources on a continuous basis, based on clients' project requirements and the need for skills. This is common with any services delivery organisations operating a shared services model."
The problems at TfNSW seem to have come about in part due to Meltdown patches throwing other plans out of kilter. The resulting mess has created a requirement for change windows so long and so numerous that TfNSW has balked at the effort required, further complicating patching plans.
The Register understands IBM can't hire new people fast enough to address the problem, a state of affairs that is perhaps the result of IBM's numerous rounds of redundancies and decision to stop hiring contractors. IBM has described such changes as ensuring its business is an appropriate size.
But in this case it appears IBM Australia has so little fat, its TfNSW team can't cover a handful of staff becoming unavailable. And with new contract hires forbidden, it can't make a quick fix.
Ironically, sources tell The Register that one of the few exceptions to the contractor ban is hires made by offshore teams seeking a better liaison in the nations where IBM clients reside.
The Register has asked TfNSW to describe the state of its server fleet. If the agency replies, we’ll update this story. ®