Is voluntary cybersecurity enough for NZ's critical infrastructure?
Critical infrastructure - that term by itself sounds impressive, maybe even distressing. But what makes critical infrastructure so significant? – To understand this, a reasonable step is to understand what critical infrastructure actually means.
What is New Zealand's critical infrastructure?
The New Zealand Government defines critical (national) infrastructure in their recent Cyber Security Strategy (2019) as "Physical and digital assets, services, and supply chains, the disruption (loss, compromise) of which would severely impact the maintenance of national security, public safety, fundamental rights, and well-being of all New Zealanders".
While this is a general description, it keeps the matter relatively abstract. However, in a previous work (2014), the Five Eyes countries had already identified the need for a more common and clearer understanding of critical infrastructure. Every participating country was asked to list the sectors they consider critical as per the definition of this term, and for New Zealand, these are:
- Energy
- Transportation
- Social Infrastructure (including Healthcare, Public Health and Government Facilities)
- Water
- Telecommunication (including Information Technology)
This choice was made because the NZ Government considers these sectors "key drivers of economic growth" and "an important contributor to improving living standards for all New Zealanders". Establishing and maintaining resilience and developing a solid capability to deal with disruptions are hence the main goals associated with the protection of this critical infrastructure.
What happens when critical infrastructure fails?
No question, a failure of just one of the sectors mentioned above would likely lead to a significant impact on vast areas of our society. Not to mention the interdependencies and side-effects the failure of one critical sector would surely have on the others.
Actually, among these critical infrastructure sectors, some appear even more critical than others – considering this rule of thumb: Whatever sits most upstream, and fails, will hit everything downstream consequently. Or in other words: If someone cuts off the power supply for all of New Zealand today, almost all Kiwi organisations and individuals will have a really bad time within a few days.
To prevent this and keep critical sectors at least basically operational, it must be made sure with priority that NZ's power switch constantly remains ON.
What role do cyber threats play in this matter?
The protection of critical infrastructure in general, and the energy sector in particular, has been on the agenda of the NZ Government and industry interest groups for quite a while. Besides the traditional major natural and manmade physical impact scenarios, cyber-attacks have been added to the list of significant threats as well, and that is for good reasons:
- Sophisticated cyber-attacks on critical infrastructure have been rising over recent years.
- The Energy sector is critical for every country and hence naturally exposed to those attacks.
- Critical infrastructure is significant enough to attract state-sponsored hacker groups, who usually have sufficient resources and skills to launch determined, sophisticated, long-term attack campaigns.
- The Energy sector has particular exposure to 0-day exploits and supply chain attacks: It is a highly integrated and specialised ecosystem, with a fairly low number of members, that uses industry-specific (niche) solutions (incl. IoT) commonly deployed across the sector.
- The level of maturity regarding information security is diverse and inconsistent across entities of the Energy sector, where there is no defined, mandatory standard, while at the same time overall resilience of the sector and services provided is only as reliable as its weakest member.
How to protect critical infrastructure against cyber-attacks?
Although Energy providers are mostly commercial organisations, delivering services in a critical infrastructure sector can never be considered a normal, profit-focused business. Instead, it requires a highly risk-averse and strong security-focused attitude.
To facilitate a reasonable baseline of protection against cyber-risks, the National Cyber Security Centre (NCSC), representing the NZ Government and the New Zealand Control Systems Security Information Exchange (CSSIE), representing the industry's interests, have joined forces about a decade ago (2013), to define, release and maintain the Voluntary Cyber Security Standards for Control Systems Operators (VCSS-CSO).
This standard, which basically adopts best practice controls from the North American Electric Reliability Corporate (NERC) and the National Institute of Standards and Technology (NIST), is considered the primary cyber security benchmark for critical infrastructure providers in New Zealand.
The VCSS-CSO is overall well balanced, containing reasonable guidance and all relevant controls, commonly considered essential, critical, or general best practice, with the definition of some additional industry or target group specific requirements. It is structured into 11 critical infrastructure protection (CIP) areas (2019 release) within the summary of 61 requirements and numerous supplement sub-requirements. It is meant to serve as a voluntary compliance framework based on self-assessments.
What needs to be improved?
It is, of course, appreciated that there already exists a defined national standard that aligns with recognised international best practices. This is an essential prerequisite to ultimately achieving a consistent and consolidated level of security across multiple organisations in a critical infrastructure sector. It, however, lacks a vital governance component: It is not mandatory and hence cannot be effectively enforced at this stage. Instead, entities are left alone, and trust rather than control is the current mean of choice to assure a reliable security posture.
Considering the importance of critical infrastructure in general and the energy sector in particular, this voluntary arrangement appears to be far from appropriate. Interestingly, for government agencies and district health boards, i.e. actors of the social (critical) infrastructure sector, security compliance is much stricter enforced with the All of Government (AoG) framework.
It dictates consistent and restrictive alignment with the prescriptive NZISM and associated comprehensive regular certification and accreditation practices. Given that the energy sector is sitting upstream of the social infrastructure, it is surprising that nothing comparable has been established and enforced so far.
Meanwhile, other Five-Eyes countries are already a step ahead here, e.g. with NERC CIP being mandatory for US and Canadian electric power grid providers. Since the NERC standard already served as a blueprint, New Zealand would be well advised to consequently follow this example and make compliance with the VCSS-CSO mandatory. It would also do well by aligning associated processes and procedures to what is already established in comparable contexts within the AoG framework.
This will most likely also require rearranging and clarifying roles and responsibilities between involved important stakeholders, including NCSC and CSSIE, and industry-specific authorities and interest groups like the Electricity Authority to establish a reliable, overarching cyber security governance body for this matter.
Being a critical infrastructure provider implies more than running an average business and hence clearly demands advanced security diligence, particularly to maintain reasonable protection against cyber threats. The right "tools" have already been acquired and are ready for effective use. It is now about time to consequently force them into action.
Critical infrastructure providers must be obliged to establish a solid and consistent level of cyber security today, to preserve severe failures tomorrow. Start with properly cyber-securing the energy sector to ensure that the power switch remains ON, for everyone.