IT Brief New Zealand logo
Technology news for New Zealand's largest enterprises
Story image

Is voluntary cybersecurity enough for NZ's critical infrastructure?

By Contributor
Fri 6 May 2022

Article by Lateral Security, a Tesserent company, IT security consultant Jan Klinkner.

Critical infrastructure - that term by itself sounds impressive, maybe even distressing. But what makes critical infrastructure so significant? – To understand this, a reasonable step is to understand what critical infrastructure actually means.

What is New Zealand’s critical infrastructure?

The New Zealand Government defines critical (national) infrastructure in their recent Cyber Security Strategy (2019) as “Physical and digital assets, services, and supply chains, the disruption (loss, compromise) of which would severely impact the maintenance of national security, public safety, fundamental rights, and well-being of all New Zealanders”. 

While this is a general description, it keeps the matter relatively abstract. However, in a previous work (2014), the Five Eyes countries had already identified the need for a more common and clearer understanding of critical infrastructure. Every participating country was asked to list the sectors they consider critical as per the definition of this term, and for New Zealand, these are: 

  • Energy
  • Transportation
  • Social Infrastructure (including Healthcare, Public Health and Government Facilities)
  • Water
  • Telecommunication (including Information Technology)

This choice was made because the NZ Government considers these sectors “key drivers of economic growth” and “an important contributor to improving living standards for all New Zealanders”. Establishing and maintaining resilience and developing a solid capability to deal with disruptions are hence the main goals associated with the protection of this critical infrastructure.

What happens when critical infrastructure fails?

No question, a failure of just one of the sectors mentioned above would likely lead to a significant impact on vast areas of our society. Not to mention the interdependencies and side-effects the failure of one critical sector would surely have on the others. 

Actually, among these critical infrastructure sectors, some appear even more critical than others – considering this rule of thumb: Whatever sits most upstream, and fails, will hit everything downstream consequently. Or in other words: If someone cuts off the power supply for all of New Zealand today, almost all Kiwi organisations and individuals will have a really bad time within a few days.

To prevent this and keep critical sectors at least basically operational, it must be made sure with priority that NZ’s power switch constantly remains ON.

What role do cyber threats play in this matter?

The protection of critical infrastructure in general, and the energy sector in particular, has been on the agenda of the NZ Government and industry interest groups for quite a while. Besides the traditional major natural and manmade physical impact scenarios, cyber-attacks have been added to the list of significant threats as well, and that is for good reasons:

  • Sophisticated cyber-attacks on critical infrastructure have been rising over recent years.
  • The Energy sector is critical for every country and hence naturally exposed to those attacks.
  • Critical infrastructure is significant enough to attract state-sponsored hacker groups, who usually have sufficient resources and skills to launch determined, sophisticated, long-term attack campaigns.
  • The Energy sector has particular exposure to 0-day exploits and supply chain attacks: It is a highly integrated and specialised ecosystem, with a fairly low number of members, that uses industry-specific (niche) solutions (incl. IoT) commonly deployed across the sector.
  • The level of maturity regarding information security is diverse and inconsistent across entities of the Energy sector, where there is no defined, mandatory standard, while at the same time overall resilience of the sector and services provided is only as reliable as its weakest member.

How to protect critical infrastructure against cyber-attacks? 

Although Energy providers are mostly commercial organisations, delivering services in a critical infrastructure sector can never be considered a normal, profit-focused business. Instead, it requires a highly risk-averse and strong security-focused attitude.

To facilitate a reasonable baseline of protection against cyber-risks, the National Cyber Security Centre (NCSC), representing the NZ Government and the New Zealand Control Systems Security Information Exchange (CSSIE), representing the industry’s interests, have joined forces about a decade ago (2013), to define, release and maintain the Voluntary Cyber Security Standards for Control Systems Operators (VCSS-CSO).

This standard, which basically adopts best practice controls from the North American Electric Reliability Corporate (NERC) and the National Institute of Standards and Technology (NIST), is considered the primary cyber security benchmark for critical infrastructure providers in New Zealand. 

The VCSS-CSO is overall well balanced, containing reasonable guidance and all relevant controls, commonly considered essential, critical, or general best practice, with the definition of some additional industry or target group specific requirements. It is structured into 11 critical infrastructure protection (CIP) areas (2019 release) within the summary of 61 requirements and numerous supplement sub-requirements. It is meant to serve as a voluntary compliance framework based on self-assessments.

What needs to be improved?

It is, of course, appreciated that there already exists a defined national standard that aligns with recognised international best practices. This is an essential prerequisite to ultimately achieving a consistent and consolidated level of security across multiple organisations in a critical infrastructure sector. It, however, lacks a vital governance component: It is not mandatory and hence cannot be effectively enforced at this stage. Instead, entities are left alone, and trust rather than control is the current mean of choice to assure a reliable security posture. 

Considering the importance of critical infrastructure in general and the energy sector in particular, this voluntary arrangement appears to be far from appropriate. Interestingly, for government agencies and district health boards, i.e. actors of the social (critical) infrastructure sector, security compliance is much stricter enforced with the All of Government (AoG) framework.

It dictates consistent and restrictive alignment with the prescriptive NZISM and associated comprehensive regular certification and accreditation practices. Given that the energy sector is sitting upstream of the social infrastructure, it is surprising that nothing comparable has been established and enforced so far. 

Meanwhile, other Five-Eyes countries are already a step ahead here, e.g. with NERC CIP being mandatory for US and Canadian electric power grid providers. Since the NERC standard already served as a blueprint, New Zealand would be well advised to consequently follow this example and make compliance with the VCSS-CSO mandatory. It would also do well by aligning associated processes and procedures to what is already established in comparable contexts within the AoG framework.

This will most likely also require rearranging and clarifying roles and responsibilities between involved important stakeholders, including NCSC and CSSIE, and industry-specific authorities and interest groups like the Electricity Authority to establish a reliable, overarching cyber security governance body for this matter.

Being a critical infrastructure provider implies more than running an average business and hence clearly demands advanced security diligence, particularly to maintain reasonable protection against cyber threats. The right “tools” have already been acquired and are ready for effective use. It is now about time to consequently force them into action.

Critical infrastructure providers must be obliged to establish a solid and consistent level of cyber security today, to preserve severe failures tomorrow. Start with properly cyber-securing the energy sector to ensure that the power switch remains ON, for everyone.

Related stories
Top stories
Story image
Digital Transformation
Stax and Consegna partner to accelerate modernisation
According to a statement, the new alliance will help both companies expand their reach across the region and realise joint goals.
Story image
Gartner's top recommendations for security leaders
"Leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
Story image
Trend Micro
5G network projects driven by improving security and privacy
Trend Micro's new study reveals the prospect of improved security and privacy capabilities are the main motivations behind private 5G wireless network projects.
Story image
New Relic
How to tackle the great brain drain in the tech industry
Attracting and retaining tech talent in Australia and New Zealand is becoming increasingly challenging, with the 2022 Hays Salary Guide showing a startling 91% of employers facing a skills shortage.
Story image
Internet of Things
Global 5G subscriptions to top one billion by the end of 2022
Global 5G subscriptions are predicted to pass the one billion milestone by the end of 2022, according to a new report.
Story image
VMware wins Google Cloud partner award for infrastructure modernisation
The cloud computing and virtualisation company was recognised for its achievements as part of the Google Cloud ecosystem.
Story image
Market growth
Salesforce unveils new offerings for consumer goods companies
Salesforce has announced new products for consumer goods companies to help brands navigate increasing market complexity more easily.
Story image
TO THE NEW unveils A/NZ Managed Services for Microsoft Azure
TO THE NEW has released Managed Services for Microsoft Azure to meet the growing demand in the A/NZ market and globally.
Story image
Sealord partners with Infor to improve sustainability
Sealord has chosen Infor as a strategic partner to implement an operational cloud-based platform that provides day-one functionality and sustainability gains.
Story image
Sternum joins NXP, collaborates on IoT security and observability
Sternum has announced it has joined the software partner community of NXP Semiconductors, a manufacturer of and large marketplace for embedded controllers.
Story image
Honeywell launches new carbon energy management software for buildings
The new Carbon & Energy Management service allows building owners to track and optimise energy performance against carbon reduction goals, down to a device or asset level.
Story image
Digital Transformation
Cybersecurity priorities for digital leaders navigating digital transformation
In recent years, Asia-Pacific has especially been a hotspot for cyberattacks, and as we continue into 2022, it’s evident that the problem is becoming more significant.
Story image
Cloudflare outage in 19 data centers worldwide due to own error
Cloudflare says its outage for 19 of its data centers yesterday was because of a change in a long-running project to increase resilience in its busiest locations.
Story image
Dark web
Cybercrime in Aotearoa: How does New Zealand law define it?
‘Cybercrime’ is a term we hear all the time, but what exactly is it, and how does New Zealand define it in legal terms?
Story image
Corpay partners with supply chain platform PracBiz Exchange
Corpay's new partnership with PracBiz’s allows more than 4000 B2B suppliers on the latter's platform to use Corpay's global payments services.
Story image
F5 Networks
Telstra, F5 team up to bolster services and solutions
“This partnership demonstrates our ongoing investment into APAC as we continue delivering high value services and solutions to our partners and customers."
Story image
IT and security team collaboration crucial to data security
Many IT and security decision makers are not collaborating as effectively as possible to address growing cyber threats.
Story image
Threat actors ramp up their social engineering attacks
As people get better at identifying potential threats in their inbox, threat actors must evolve their methods. Their new M.O? Social engineering.
Story image
Online identity theft is rising in NZ - here’s what to do about it
It may start with a few stolen details online, but it could end with thousands of dollars missing or worse, a reputation down the drain.
Story image
Hybrid workforce
Why hybrid working is here to stay and how to ace it
Citrix's new report reveals hybrid workers are more productive and engaged at work than their office and completely remote counterparts.
Story image
Internet of Things
Domino's Pizza: A blueprint for secure enterprise IoT deployment
Increasingly, organisations are embracing smart technologies to underpin innovations that can enhance safety and productivity in every part of our lives, from industrial systems, utilities, and building management to various forms of business enablement.
Story image
Consumers want personalisation, but don't trust brands with their data
Customers expect personalisation during every brand interaction but they don't trust brands to keep their personal data secure and to use it responsibly. 
Story image
Tech job moves
Tech job moves - ActiveCampaign, Arcserve, LogRhythm & Qlik
We round up all job appointments from June 17-22, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Ready for anything with the PagerDuty Operations Cloud
In a world of digital everything, teams face increasing complexity. Ever-growing dependencies across systems and processes put customer and employee experience, not to mention revenue, at risk.
Story image
Significant security concerns resulting from open source software ubiquity
"The risk is real, and the industry must work closely together in order to move away from poor open source or software supply chain security practices."
Story image
Employers look to hire inexperienced coders due to skills shortage
"Even inexperienced workers without prior qualifications or experience had managed to pivot to new roles in coding as long as they are willing to upskill."
Story image
Artificial Intelligence
Accenture shares the benefits of supply chain visibility
It's clear that gaining better visibility into the supply chain will help organisations avoid excess costs, inefficiencies, and complexity to ultimately improve their bottom line.
Story image
The best ways to attract young talent during labour shortages
New research from Citrix reveals hybrid working and ventures into the metaverse are top of mind for Gen Z workers.
Story image
The link between cybersecurity, extremist threat and misinformation online in Aotearoa
Long story short, it's often the case that misinformation, threat and extremism link closely to cybersecurity issues and cyber harm.
Story image
Aqua Security, CIS create software supply chain security guide
Aqua Securityand the Center for Internet Security have together released the industry’s first formal guidelines for software supply chain security.
Story image
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Story image
Cyclone selected as NZ MOE software licensing partner
Following a recent Request for Proposal (RFP), Christchurch-based company Cyclone Computer Company Ltd (Cyclone) has been selected as The Ministry of Education’s software licensing partner.
Story image
Contact Centre
Customer service agents don't want to return to contact centres
A new report has revealed that 85% of customer service agents want to work full-time at home and not return to contact centre offices.
Story image
Ingram Micro launches vendor-backed security program
Ingram Micro has unveiled a new program intended to give resellers the effective offerings their customers need to stay safe in the evolving threat landscape.
Story image
Why is NZ lagging behind the world in cybersecurity?
A recent report by TUANZ has revealed that we are ranked 56th in the world when it comes to cybersecurity - a look into why we're so behind and what needs to be done.
Story image
N4L, Spark, Chorus partner for Hyperfibre school upgrade
Networks for Learning (N4L) has partnered with Spark and Chorus to upgrade Wellington College to Hyperfibre, fostering stronger outcomes for students and teachers.
Story image
DigiCert acquires DNS Made Easy and affiliated brands
Greg Clark comments, says, "This combination enhances the security of certificate validation and enables the automation of future validations."
Story image
Microsoft launches app for modern selling experience
The new release is designed to enhance CRM systems with customer engagement data from Microsoft 365 and Microsoft Teams.
Story image
Video: 10 Minute IT Jams - An update from Tricentis
Tricentis provides software testing automation, and software quality assurance products for enterprise software.
Story image
Global investment in data centers more than doubled in 2021
DLA Piper's latest global survey finds the total investment in data center infrastructure worldwide rose from USD $24.4 billion in 2020 to USD $53.8 billion in 2021.
Story image
How TruSens air purifiers can create healthier workspaces
The pandemic has heightened our awareness of our own and others’ health, and made us all much more conscious of the environments we work in.
Story image
Canstar finds Flick Electric NZ’s favourite provider
Canstar’s annual research to find New Zealand’s favourite electricity provider reveals Flick Electric has come out on top.
Story image
Forrester names Talend Leader in enterprise data fabric
Forrester has named Talend a leader among enterprise data fabric providers in the Forrester Wave: Enterprise Data Fabric, Q2 2022 report.
Story image
Secure access service edge / SASE
Cloudflare adds new capabilities to zero trust SASE platform
New features for Cloudflare One include email security protection, data loss prevention tools, cloud access security broker, and private network discovery.