As geopolitical tensions ramp up around the globe, cybersecurity experts have witnessed an alarming increase in state-sponsored cyber espionage and attacks.

These digital incursions serve as early warning signs of escalating conflicts, with nation-states increasingly turning to cyber warfare as a means of gaining strategic advantages. One of the most prominent examples is the Volt Typhoon campaign, a sophisticated cyber operation attributed to China.

US security agencies in 2023 revealed evidence of a sophisticated and years-long effort by hackers to infiltrate the networks of critical infrastructure providers, including water and electricity providers.

The campaign's focus on lying dormant within compromised networks suggests a long-term strategy, potentially allowing attackers to weaponise these access points if geopolitical situations deteriorate.

Cybersecurity agencies in New Zealand and Australia have also issued warnings about this persistent threat, which targets critical infrastructure such as utilities, financial systems, transport and healthcare infrastructure. New Zealand has already seen the impact of such threats – perhaps most notably in 2021, when the Waikato District Health Board suffered a crippling ransomware attack that disrupted hospital operations and compromised sensitive patient data. Inevitably, the operational technology (OT) systems that underpin these industries are the targets of hackers’ attention.

Testing defences

Michael Murphy, Director, Operational Technology and Critical Infrastructure for the Asia-Pacific region at Fortinet notes that these nation-state attacks are part of a broader trend.

“We're seeing an increase in compromised account credentials, malware infections and network infrastructure breaches,” Murphy explains.

“Many of these can be traced back to state-sponsored actors testing defences to establish footholds in critical systems.”

That has led nations to revising and expanding regulations and obligations requiring critical infrastructure providers to adhere to minimum cybersecurity standards. For instance, Singapore last year amended its Cybersecurity Act to increase the scope of regulation to cover cloud computing platforms, third-party providers outside of Singapore and the tech supply chain that infrastructure providers draw on.

The Australian Cyber and Infrastructure Security Centre (CISC) in November added 46 more critical infrastructure assets as “systems of national significance” signalling the importance of protecting key infrastructure.

“On the surface, retail and data centres might not look like critical infrastructure,” says Murphy.

“But the interconnectivity of all these essential services has created a bigger footprint of risk, which governments and businesses are now having to think about in terms of cybersecurity.”

Integrate standards, monitor progress

New Zealand has been less prescriptive in its approach to mandating cybersecurity requirements for critical infrastructure providers. But given what is at stake when key infrastructure goes down in terms of potential physical damage, and financial and reputational loss, New Zealand businesses need to get on the front foot and protect their OT systems.

Murphy stresses that following cybersecurity standards significantly reduces risks. He highlighted Australia's Essential Eight and New Zealand's Top 10 as valuable frameworks for organisations to follow.

By implementing best practices such as multi-factor authentication, application control and regular patching, businesses can address many common vulnerabilities and create a baseline of protection for themselves – and their supply chain partners. Cybersecurity standards are all well and good, but Fortinet advises every organisation to have a plan to monitor adherence to standards and address compliance issues.

A key theme emerging from Murphy's insights is the need for a community approach to cybersecurity. He advocates for creating safe spaces where organisations can share experiences and lessons learned, even with competitors.

The critical need for cooperation

That’s why Fortinet will this month host a series of exclusive forum lunches in Auckland, Wellington, Hamilton and Christchurch to discuss the evolving cyber threats impacting New Zealand’s operational technology environment.

A collaborative mindset should extend to public-private partnerships, with Murphy noting that many businesses are seeking government guidance on cybersecurity best practices.

“Everyone is in this together, because if one piece of critical infrastructure goes down in a cyber attack, it can have a knock-on effect that has widespread repercussions. So we can help each other identify the threats and the opportunities to improve resilience across the board,” says Murphy.

He adds that critical infrastructure providers are now pursuing a “secure by design, secure by default” strategy to build and refresh their operational technology.

“Customers are saying, ‘I'm no longer going to buy technology that doesn't have some level of cybersecurity best practice deployed by default’,” he explains.

“That's shifted the onus from the end user controlling all these systems to vendors. We’ve seen the likes of Schneider and Honeywell, major providers of industrial infrastructure, ramp up efforts to build in security,” adds Murphy.

AI lessens alert overload

Artificial Intelligence is increasingly being harnessed to enhance cybersecurity efforts. Murphy says AI can help ease analysts' burden by triaging alerts and focusing attention on critical issues. In OT environments, AI can assist in making informed decisions about appropriate responses to potential threats without causing unnecessary disruptions.

As digital skirmishes intensify, they serve as a stark reminder that the next major conflict may begin not with a bang, but with a breach. Organisations and nations alike must remain vigilant and proactive in their cybersecurity measures to weather the storm of geopolitical cyber warfare.

Murphy’s final message is clear: don't wait for a major incident or legislative changes to drive action. New Zealand businesses should act now in their own best interests, implementing robust cybersecurity measures to safeguard their operations and the broader economy.

Join industry experts at OT Security Exchange Forums in Auckland, Hamilton, Wellington and Christchurch. Register now.