Being a small island nation, far away from most of the world, gives New Zealand a big defensive advantage. While we have some nice natural resources, it’s a long way to come for an invasion.
However, cyberattackers don’t need to be concerned with physical distance. They can mount a digital invasion from anywhere around the globe. Cyberterrorism and cybercrime have no borders, and they have the potential to disrupt some of our most important infrastructure – the services and amenities that we take for granted as residents in a developed economy. From our electrical grid to our hospitals to our ports, it’s vital that our critical infrastructure is secure, yet we’re not doing enough to protect ourselves.
Infrastructure attacks could shut down our lives, or even threaten them
Cyber technology is now a central component of both modern warfare and modern crime. We’ve seen Russia attempting to shut down Ukraine’s IT networks and disrupt the command-and-control systems of the Ukrainian military. For its part, Ukraine has shown the value of agile and well-defended IT and critical infrastructure networks and has also taken a few retaliatory blows, like hacking Russian EV charging stations to display anti-Putin messaging.
Ransomware is also a significant and growing threat to our national infrastructure. In 2021, the largest fuel pipeline in the US was a victim of a ransomware attack that shut the pipeline down for days and left customers without gas all along the East Coast.
Here in Aotearoa, we’ve already had several warning shots across the bow in the form of cyberattacks and ransomware. Perhaps the most well-known was the cybersecurity breach at the Waikato District Health Board, which shut down four regional cancer treatment hubs. Seriously ill patients had to be moved to other hospitals, and radiation treatment couldn’t be administered. As an early report by the Waikato District Health Board (DHB) noted, “the consequences of a targeted cyberattack would be catastrophic for patient safety.”
This is the kind of cyberattack that can cost lives, release private information, and make New Zealanders feel threatened. These attacks do profound damage to national resilience. Imagine if we were struck by a coordinated attack across various healthcare, energy, or transport network infrastructures. Cutting off our power would cripple our economy, and if other systems were also under attack, our nation and our lives would be in turmoil.
According to Fortinet – Global State of Operational Technology and Cybersecurity Report, July 2022 & Gartner – Market Guide for Operational Technology Security, August 2022:
<49%
of organisations in Australasia say they could detect a security breach in less than 90 days.
23%
say it would take them 2 to 3 months to detect a security breach.
70%
of asset-intensive organisations will have converged their security functions across both enterprise and operational environments by 2025.
The threat keeps changing, so defences must evolve
Our critical infrastructure sector must work urgently to upgrade ageing operational technology (OT) systems as these are leaving us vulnerable to these types of cyberattacks.
Very few Kiwi organisations have a sufficiently strong OT system. According to Fortinet’s Networking and Cybersecurity Adoption Index 2022, fewer than 49 per cent of New Zealand and Australian organisations said they could detect a security breach in less than 90 days, with 23 per cent taking between two and three months. This demonstrates that New Zealand organisations are not doing enough to protect against cyberterrorism or ransomware.
Unfortunately, boosting cybersecurity is not like putting up a brick wall outside your head office. You cannot simply build the wall and then the job is done. Cyber defences require continual effort and investment; however, the risks that come with insufficient protection are enormous and extremely costly.
Nicole Quinn, head of government affairs APAC, Fortinet, said, “Historically, New Zealand governments and critical infrastructure entities have approached cybersecurity from a product perspective. However, the modern cyber threat requires a more integrated approach that manages components as a full system.
“Defence systems need to work together at machine speed to better support the scarce cyber defenders tasked with building, integrating, and operating these complex systems. Best cybersecurity practices at a national level require a holistic approach that protects against cyber threats at every point in complex business, critical infrastructure, and government operations.”
93% of OT organisations experienced at least one intrusion in the past year; 78% experienced more than three intrusions
According to Fortinet – Global State of Operational Technology and Cybersecurity Report, July 2022 & Gartner – Market Guide for Operational Technology Security, August 2022.
31% increase in cybersecurity incidents in 2022
as reported to CERT in the first 8 months of 2022, compared to the same period in 2021.
US$4.35 million average global cost
according to the IBM Cost of a data breach 2022, healthcare breaches cost an average of US$10.1 million.
Working together to boost New Zealand’s cyber resilience
New Zealand needs to be more cyber resilient, which starts with upgrading our OT systems and reducing our vulnerabilities.
The attacker could already have their foot in the door: it’s almost certain that malware is already sitting undetected in many government agencies, service providers, and electricity distributors around the world. It could be quietly stealing data, or waiting to be activated, blazing a trail through an organisation’s systems and potentially destroying all data in its path.
Organisations need to work with partners that have a deep understanding of cyber threats and protecting OT. Strong public-private partnerships are essential to ensuring better cyber resilience. Governments cannot mitigate all incoming threats, so they need expert support to separate and protect each component of complex networks, with access control and malware protection. All of these elements work together to create an overarching security architecture, or security fabric, capable of defending our complex OT networks.
Nicole Quinn said, “Working together, the government and private sector can tackle rapidly emerging threats and maintain secure and resilient networks and systems. Building cyber resilience requires a sharing of knowledge and understanding of threats between government and critical infrastructure operators, service providers, and cybersecurity companies.”
New Zealand isn’t a very appealing target for a physical invasion. It’s too hard to access and has too little to gain. By working together and taking a holistic approach to shield our critical infrastructure, we can make it equally unappealing as a target for cybercriminals.
To download the full report go here.