Without action, vital services could fail after a cyber attack.


Traffic lights out. Trains halted. Water cut off to households. These have all happened recently to local councils around the world as the result of cyberattacks.

Attacks on water and roading infrastructure have been widely reported across the US and Europe in recent years. In the UK, a cyberattack on South Staffordshire Water in 2022 raised fears about the vulnerability of essential services, and further incidents since have shown how even utilities critical to public health are at risk. The recent chaos in Spain and Portugal when the power grid went out demonstrates the potential for widespread disruption.

It’s only a matter of time before something similar happens in New Zealand, according to Josh Alcock, Operational Technology Security and Threat Intelligence Business Manager for ANZ at Fortinet.

“Local councils are often responsible for critical infrastructure like water and traffic management across the regions, and these systems are attractive targets for cyber criminals,” says Alcock. “It’s a matter of when, not if, your organisation experiences an incursion.”

For US$500, you can buy access to a local council server

Councils are an appealing target for cyber criminals, whether driven by financial gain or political motives. Heightened geo-political tensions have ramped up the odds of an attack, and limited resources often mean local governments operate with stretched IT infrastructure, increasing the risk of vulnerabilities. Outdated systems and reliance on specialist third-party service providers can also create openings that can be easily exploited.

Access to a council’s systems may be available at bargain basement prices, says Alcock. “We discovered a remote access into a local government environment for sale on the dark web for US$500 via an unpatched vulnerability. We found it through FortiRecon, our digital risk protection service, which is capable of dark web monitoring. If someone bought that access, they could easily deploy ransomware within the IT environment or use it as a starting point to get access to some of the critical infrastructure.”

Incursions are frequent – and they cause expensive, reputationally damaging disruption to council services. Recent cyberattacks on local governments worldwide have led to:

  • major data breaches
  • the release of customers’ identity documents
  • customer service system outages
  • ransomware attacks
  • weeks-long billing and account system outages.

Any of these incidents will cause significant problems for a local council, whether it’s unhappy customers, cashflow crises or breaches of the Privacy Act.

NZ risks falling behind other countries on national cyber security direction

Many national governments are putting resilience strategies in place to help local authorities manage their cybersecurity obligations. Singapore, Australia and the UK all have regulatory frameworks for local government cyber resilience, while the USA offers grants to local councils to improve their cyber maturity. Australia penalises businesses heavily for allowing serious data leaks or not securing ‘systems of national significance’ – fines can be as high as A$50 million.

In New Zealand, we have some voluntary standards, but nothing approaching the rigour that other countries are applying to protect their critical infrastructure. Local governments are working hard to improve their cybersecurity, but it’s hard to balance limited resources across so many essential services. The councils with a stronger focus and business buy-in, says Alcock, are typically driven by people with specialist expertise.

The job is made more challenging for councils by the lack of a national framework. New Zealand’s national cybersecurity standards, such as the NZISM, are only mandatory for core government departments. Local councils, despite overseeing critical services, have no obligation to comply, resulting in significant inconsistencies in cyber resilience.

A national framework could make our councils a less attractive target 

A national framework would set a consistent standard and help local government prioritise cybersecurity alongside other major risks. Requirements do not need to be onerous or costly, he adds, they just need to establish an expected standard and create accountability.

“Compared to the rest of the world, setting minimum standards for securing critical infrastructure environments will often result in uplifting cybersecurity maturity, making New Zealand councils a less attractive target,” Alcock says. “That needs to include things like cybersecurity awareness training that is appropriate for each person’s role and cyber incident response programmes that include the entire organisation, not just IT.”

To help local government prioritise cyber security and improve its systems and processes, national guidance would get everyone on the same page, Alcock adds. “With a national regulatory framework like we have seen in Australia and Singapore, we could raise the bar, getting all the local government organisations up to a particular level. We do need to take this seriously, because it puts the delivery of critical infrastructure at risk. The truth is, this is simple – but it’s not easy.”

Explore practical ways to assess and strengthen your cyber security posture here.