CFOtech New Zealand logo
Technology news for Kiwi CFOs and financial decision-makers
Story image

Is voluntary cybersecurity enough for NZ's critical infrastructure?

By Contributor
Fri 6 May 2022

Article by Lateral Security, a Tesserent company, IT security consultant Jan Klinkner.

Critical infrastructure - that term by itself sounds impressive, maybe even distressing. But what makes critical infrastructure so significant? – To understand this, a reasonable step is to understand what critical infrastructure actually means.

What is New Zealand’s critical infrastructure?

The New Zealand Government defines critical (national) infrastructure in their recent Cyber Security Strategy (2019) as “Physical and digital assets, services, and supply chains, the disruption (loss, compromise) of which would severely impact the maintenance of national security, public safety, fundamental rights, and well-being of all New Zealanders”. 

While this is a general description, it keeps the matter relatively abstract. However, in a previous work (2014), the Five Eyes countries had already identified the need for a more common and clearer understanding of critical infrastructure. Every participating country was asked to list the sectors they consider critical as per the definition of this term, and for New Zealand, these are: 

  • Energy
  • Transportation
  • Social Infrastructure (including Healthcare, Public Health and Government Facilities)
  • Water
  • Telecommunication (including Information Technology)

This choice was made because the NZ Government considers these sectors “key drivers of economic growth” and “an important contributor to improving living standards for all New Zealanders”. Establishing and maintaining resilience and developing a solid capability to deal with disruptions are hence the main goals associated with the protection of this critical infrastructure.

What happens when critical infrastructure fails?

No question, a failure of just one of the sectors mentioned above would likely lead to a significant impact on vast areas of our society. Not to mention the interdependencies and side-effects the failure of one critical sector would surely have on the others. 

Actually, among these critical infrastructure sectors, some appear even more critical than others – considering this rule of thumb: Whatever sits most upstream, and fails, will hit everything downstream consequently. Or in other words: If someone cuts off the power supply for all of New Zealand today, almost all Kiwi organisations and individuals will have a really bad time within a few days.

To prevent this and keep critical sectors at least basically operational, it must be made sure with priority that NZ’s power switch constantly remains ON.

What role do cyber threats play in this matter?

The protection of critical infrastructure in general, and the energy sector in particular, has been on the agenda of the NZ Government and industry interest groups for quite a while. Besides the traditional major natural and manmade physical impact scenarios, cyber-attacks have been added to the list of significant threats as well, and that is for good reasons:

  • Sophisticated cyber-attacks on critical infrastructure have been rising over recent years.
  • The Energy sector is critical for every country and hence naturally exposed to those attacks.
  • Critical infrastructure is significant enough to attract state-sponsored hacker groups, who usually have sufficient resources and skills to launch determined, sophisticated, long-term attack campaigns.
  • The Energy sector has particular exposure to 0-day exploits and supply chain attacks: It is a highly integrated and specialised ecosystem, with a fairly low number of members, that uses industry-specific (niche) solutions (incl. IoT) commonly deployed across the sector.
  • The level of maturity regarding information security is diverse and inconsistent across entities of the Energy sector, where there is no defined, mandatory standard, while at the same time overall resilience of the sector and services provided is only as reliable as its weakest member.

How to protect critical infrastructure against cyber-attacks? 

Although Energy providers are mostly commercial organisations, delivering services in a critical infrastructure sector can never be considered a normal, profit-focused business. Instead, it requires a highly risk-averse and strong security-focused attitude.

To facilitate a reasonable baseline of protection against cyber-risks, the National Cyber Security Centre (NCSC), representing the NZ Government and the New Zealand Control Systems Security Information Exchange (CSSIE), representing the industry’s interests, have joined forces about a decade ago (2013), to define, release and maintain the Voluntary Cyber Security Standards for Control Systems Operators (VCSS-CSO).

This standard, which basically adopts best practice controls from the North American Electric Reliability Corporate (NERC) and the National Institute of Standards and Technology (NIST), is considered the primary cyber security benchmark for critical infrastructure providers in New Zealand. 

The VCSS-CSO is overall well balanced, containing reasonable guidance and all relevant controls, commonly considered essential, critical, or general best practice, with the definition of some additional industry or target group specific requirements. It is structured into 11 critical infrastructure protection (CIP) areas (2019 release) within the summary of 61 requirements and numerous supplement sub-requirements. It is meant to serve as a voluntary compliance framework based on self-assessments.

What needs to be improved?

It is, of course, appreciated that there already exists a defined national standard that aligns with recognised international best practices. This is an essential prerequisite to ultimately achieving a consistent and consolidated level of security across multiple organisations in a critical infrastructure sector. It, however, lacks a vital governance component: It is not mandatory and hence cannot be effectively enforced at this stage. Instead, entities are left alone, and trust rather than control is the current mean of choice to assure a reliable security posture. 

Considering the importance of critical infrastructure in general and the energy sector in particular, this voluntary arrangement appears to be far from appropriate. Interestingly, for government agencies and district health boards, i.e. actors of the social (critical) infrastructure sector, security compliance is much stricter enforced with the All of Government (AoG) framework.

It dictates consistent and restrictive alignment with the prescriptive NZISM and associated comprehensive regular certification and accreditation practices. Given that the energy sector is sitting upstream of the social infrastructure, it is surprising that nothing comparable has been established and enforced so far. 

Meanwhile, other Five-Eyes countries are already a step ahead here, e.g. with NERC CIP being mandatory for US and Canadian electric power grid providers. Since the NERC standard already served as a blueprint, New Zealand would be well advised to consequently follow this example and make compliance with the VCSS-CSO mandatory. It would also do well by aligning associated processes and procedures to what is already established in comparable contexts within the AoG framework.

This will most likely also require rearranging and clarifying roles and responsibilities between involved important stakeholders, including NCSC and CSSIE, and industry-specific authorities and interest groups like the Electricity Authority to establish a reliable, overarching cyber security governance body for this matter.

Being a critical infrastructure provider implies more than running an average business and hence clearly demands advanced security diligence, particularly to maintain reasonable protection against cyber threats. The right “tools” have already been acquired and are ready for effective use. It is now about time to consequently force them into action.

Critical infrastructure providers must be obliged to establish a solid and consistent level of cyber security today, to preserve severe failures tomorrow. Start with properly cyber-securing the energy sector to ensure that the power switch remains ON, for everyone.

Related stories
Top stories
Story image
Artificial Intelligence
SAS announces new products amid cloud portfolio success
Analytics and AI company SAS is deepening its broad industry portfolio with offerings that support life sciences, energy, and martech.
Story image
Customer experience
Research unveils precarious customer loyalty for retailers
New research has found customers are reassessing established brand loyalties as their priorities and behaviours shift.
Story image
NCSC advisory highlights poor security configurations
The GCSB's National Cyber Security Centre (NCSC) has released a cyber security advisory identifying commonly exploited controls and practices.
Story image
Digital Transformation
Trading up: It's time to swap core systems for flexible digital applications
This year will see more oranisations planning and commencing high tech renovations that will shake up the way they operate.
Story image
Commerce Commission
ComCom welcomes new marketing codes for the telecom industry
The Commerce Commission is welcoming the creation of new marketing codes for the telecommunications industry.
Story image
Remote Working
IT teams deploy powerful technologies to enable remote work
"We found that IT teams mastered the challenges of remote work last year in large part by employing powerful yet easy-to-use technologies."
Story image
Artificial Intelligence
Updates from Google Workspace set to ease hybrid working troubles
Google Workspace has announced a variety of new features which will utilise Google AI capabilities to help make hybrid working situations more efficient and effective.
Story image
Avaya OneCloud sees 118% ARR growth for second quarter 2022
Avaya Holdings has reported $750 million annual recurring revenue (ARR) for its OneCloud offering, up 21% sequentially and 118% from the same period last year.
Story image
Hard numbers: Why ambiguity in cybersecurity no longer adds up
As cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. Getting rid of ambiguity becomes necessary.
Story image
Artificial Intelligence
ForgeRock releases Autonomous Access solution powered by AI
ForgeRock has officially introduced ForgeRock Autonomous Access, a new solution that uses AI to prevent identity-based cyber attacks and fraud.
Story image
Google reveals new safety and security measures for users
Google's new measures include automatic two step verification, virtual cards and making it easier to remove contact information on Google Search results.
Story image
PwC NZ unveils new Cloud Security Operations Center
PwC New Zealand has unveiled its new Cloud Security Operations Center for the entire Microsoft technology stack.
Story image
Data and analytics could be key to higher selling prices in APAC
Sisense's latest report has found that almost half of data professionals in APAC think customised data and analytics can create better selling prices for their products.
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image
Story image
Cloudflare launches instant serverless database for dev teams
"Today we’re announcing our first serverless database which we expect will quickly become one of the largest databases in the world."
Story image
Avaya expands Microsoft partnership to deliver OneCloud on Azure
The joint technology and go to market agreement will help customers accelerate their digital transformation initiatives in the cloud.
Story image
Digital Transformation
Why enterprise records management should be part of any digital transformation strategy
Modern organisations create and rely upon an enormous volume of content, and digital records make up a significant proportion of that content.
Story image
Hands-on review: STM laptop bags
The advent of hybrid working has meant we need laptop bags. We got our hands on two of the most popular laptop bags from STM.
Story image
Jabra investigates what makes an ideal hybrid work model
“The way we work has changed forever and the current state of knowledge work requires access to digital platforms and technologies to be successful."
Story image
Artificial Intelligence
CFOs using digital workers and AI to prevent unnecessary loss
New technology is now allowing CFOs to use digital workers to automate their accounting processes, making it easier for them to avoid unnecessary losses.
Story image
Kodari Securities (KOSEC)
NFT trends and opportunities: expert reveals all
The NFT market is growing at an exponential rate, with unprecedented liquidity. Here we explore how businesses can profit.
Story image
Tech innovation crucial to growth, but barriers remain
Businesses in the A/NZ region believe tech innovation is crucial to drive future growth, but 76% say they’re being held back by complex data architecture.
Story image
A third of companies paying ransom don’t recover data - report
Veeam's report finds 76% of businesses who are victims of cyberattacks paid the ransom to recover data, but a third were still unable to get their information back.
Story image
Artificial Intelligence
SAS launches human-focused responsible innovation initiative
SAS has launched a responsible innovation initiative, furthering its commitment to equity and putting people first.
Story image
Revenue operations is taking centre stage
As the business world continues to evolve, new demands need to be met to keep up with the ever-changing landscape. 
Story image
Talend introduces new data health solutions for businesses
Talend has announced its latest version of Talend Data Fabric, with the release of Talend Trust Score enabling data teams to establish a foundation for data health.
Story image
Fonterra to use automated guided vehicles by Dematic
New Zealand's dairy giant Fonterra is upgrading its manufacturing facility in Edendale with new automated guided vehicles (AGVs) from Dematic.
Story image
SAS Viya on Microsoft Azure to deliver 204% return - study
The Forrester Total Economic Impact study finds SAS Viya on Microsoft Azure brings a 204% return on investment over three years.
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Prominent cryptocurrency trader hit by 'perfect storm'
A leading local crypto currency trading platform, BitPrime, says a "perfect storm" has hit its finances, forcing it to put a halt on operations.
Story image
Voxel hits total funding of $18M following ongoing wins
Since raising its seed round in September, Voxel has grown at pace, by decreasing on-site injuries by upwards of 80% and increasing operational productivity.
Story image
Microsoft unveils adaptive accessories for disability access
Microsoft is introducing an expansive Inclusive Tech Lab to give people with disabilities greater access to technology through new software features and adaptive accessories.
Story image
Employee Experience
Zendesk launches customer service and employee experience offering
"Zendesk is helping businesses embrace this new generation of conversational customer relationship management and turn customer service into growth.”
Story image
Artificial Intelligence
Clear Dynamics closes $35M funding round, invests in global growth
The funding is a major milestone and speaks to Clear Dynamics’ vision for AI-enabled ‘composable’ enterprise software, the company states.
Story image
IT budget
$20m boost for digital technologies announced
The government is spending an extra $20m over four years on its plan to transform the digital technologies industry.
Story image
Digital Transformation
Unlocking the next digital frontier for educational institutions
Understanding where to invest in technology can be challenging for education institutions, especially after the COVID-19 disruptions.
Find out how a behavioural analytics-driven approach can transform security operations with the new Exabeam commissioned Forrester study.
Link image
Story image
Remote Working
How organisations can meet employees' changing expectations
The global employment market has shifted dramatically in favour of employees, sparking the so-called great resignation, in which people are leaving unsatisfying roles in search of greener pastures.
Story image
Amazon Web Services / AWS
Databricks strengthens AWS partnership with new Lakehouse offering
Customers will experience faster onboarding and unified account administration to make building a Databricks Lakehouse on AWS easier.
Story image
Commerce Commission
ComCom appeals $2.25 million fine in Vodafone FibreX case
The Commerce Commission has filed an appeal in the High Court against a $2.25 million fine imposed on Vodafone NZ for its offending under the Fair Trading Act.
Story image
Adyen expands partnership with Afterpay as BNPL payments increase
Adyen has expanded its partnership with AfterPay allowing more of Adyen’s merchants in more countries worldwide to use the BNPL provider.
Story image
Tech job moves
Tech job moves - Datacom, Micro Focus, SnapLogic and VMware
We round up all job appointments from May 6-12, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Microsoft backing Māori and Pacific wāhine in tech industry
A new initiative focused on getting Māori and Pacific wāhine into the tech industry and backed by Microsoft, NZTech and the government is calling for tech companies to get involved.
Story image
Could your Excel practices be harming your business?
While Excel has been the de-facto standard for budgeting, planning, and forecasting, is it alone, enough to support organisations in the global marketplace that’s facing rapid changes due to digital transformation?