Claroty, the cyber-physical systems protection company, and partner Vector Technology Solutions Ltd (VTS), a digital solutions business and a subsidiary of New Zealand energy company Vector Ltd, recently hosted three roundtable discussions among top C-suite executives in New Zealand's critical infrastructure sector, including PowerNet, Electra, Aurora Energy and Unison. 

Travelling to Wellington, Napier and Christchurch, the discussion focused on the current threat landscape, particularly in New Zealand's energy sector. The group also discussed potential changes to New Zealand's resilience policy and regulatory landscape.

In 2021-2022, the New Zealand Cybersecurity Centre reported 350 incidents affecting nationally significant organisations, with a rise in attacks from state-sponsored actors since the previous year. 

New Zealand is unique amongst other Five Eyes nations in that its legislative environment for the cybersecurity of critical infrastructure entities is relatively under developed, with voluntary guidelines and coordination across the sector playing a key role. 

Critical infrastructure providers such as electricity distributors should be continuing to evolve in the context of the changing threat landscape (including potential changes to legislative requirements).

Special guests on the panel included Vector's Chief Information Security Officer, Aaron McKeown, and Admiral Michael S. Rogers, a retired four-star admiral of the United States Navy who served as the second commander of the United States Cyber Command while also serving as the 17th director of the National Security Agency (NSA) and as chief of the Central Security Service (CSS).

The discussion revealed the pros and cons of new legislation and leveraged Admiral Rogers' experience with US cyber policy to encourage smaller electricity distributors in New Zealand to start discussing their security posture collectively. The attendees agreed that a sector based approach in building a secure ecosystem was a critical mechanism to ensure the overall uplift of the cyber posture of the industry.

Key challenges facing NZ distribution businesses

Cyber professionals within energy distribution businesses must continue to perfect the art of communicating risk and threats across all levels of the organisation from boards to employees. This is critical to secure the necessary funding and resources CISOs need to improve their organisations cyber posture; CIOs and CISOs cant drive cyber security alone, they need buy in from all levels of the organisation to ensure the human firewall is as strong as the OT/IT security; Third-party security poses a significant risk to energy distributors, given there are numerous partners and partner platforms in the energy supply chain; Ransomware remains one of the biggest risks to electricity distributors and other organisations globally.

"Successful breaches into critical infrastructure are not if but when," says Admiral Rogers.

"Organisations know its only a matter of time before attackers get into their networks, but building overall resilience is the key to reducing the damage - specifically, techniques to stop attackers moving laterally throughout the network once inside."

Aaron McKeown, Chief Information Security Officer at Vector, says more collaboration is key to uplifting cyber security across the whole energy sector. 

"While there are some structured forums such as Control Systems Security Information Exchange (CSSIE) that allow for the sharing of cyber-related information between organisations, informal roundtable discussions like these present an invaluable opportunity for industry leaders to exchange important ideas and insights on the complex cyber security landscape today."