Skip to content.
|Networking government in New Zealand.
You are here: Home » Policies » Trust and Security » E-Government: Protecting New Zealand's Infrastructure From Cyber Threats » New Zealand's Critical Infrastructure

New Zealand's Critical Infrastructure

The following diagram shows how the various critical infrastructures depend on each other. Most systems assume the continuing supply of power and telecommunications.

Figure 1 - Critical infrastructure dependences

Critical infrastructure dependencies.

Ownership of Infrastructure

The ownership of critical infrastructure is diverse.

  • Central government departments own items such as the computers running the SWIFTT benefits payment system.

  • The Defence and Police forces have computer systems and communications networks.

  • Hospitals use computer systems for accounting and administration.

  • The Reserve Bank currently operates banking settlements systems.

  • State-owned enterprises such as Transpower and Airways own critical networks.

  • Much critical infrastructure is in the private sector, including telecommunications and local electricity distribution.

The situation is more complex than the above would suggest. There are many different models for infrastructure-owning organisations to have parts of infrastructure outsourced or managed by another company. Furthermore, although some infrastructure providers have IT or telecommunications networks, these are in many cases dependent on circuits provided by a telecommunications carrier such as Telecom or Telstra Saturn.

While the government does not own or directly control much of the critical infrastructure of New Zealand, it does have a role in assuring itself that this infrastructure is adequately protected. Infrastructural businesses differ from others in that customers' interest in their continued ability to supply may exceed the commercial interests of the business to do so. This is especially a concern where the infrastructure business is a monopoly provider, since the competitive pressure to maintain service is reduced or absent. A hypothetical example would be a power company that risked infrastructure failure through under-investment of funds and time in engineering while choosing instead to focus on an area that might increase profitability.

Risks in Critical Infrastructure

Given the concerns expressed above over the adequacy of commercial incentives in respect of infrastructure security, Government needs to consider how it can assure itself that sufficient risk management is being undertaken. A reasonable approach is to establish the extent to which infrastructure owners use risk management methods.

Best practice risk management starts with a formal model of risk and mitigation. There are a number of formal risk assessment models available. The following diagrams show a summary of risk assessment and mitigation as applied to the critical infrastructure. These models are adapted from Australian and New Zealand Standards.

Figure 2 - Infrastructure Threats and Vulnerabilities

Infrastructure Threats and Vulnerabilities.

This diagram shows the critical services depending on infrastructure, some areas of which themselves depend on other services. The components of the infrastructure, referred to as assets, are subject to vulnerabilities. Vulnerabilities may be exploited by threats. The action of a threat on a vulnerability may be mitigated through various strategies.

Figure 3 - Risk Mitigation Cycle

Risk Mitigation Cycle

After risks have been mitigated there is always some residual risk, which needs to be assessed. If it is found unacceptable further mitigation measures will need to be applied.

Risk has two components: the consequence, or impact of an event; and the likelihood of the event. Because infrastructure is obviously valuable, physical risks have generally already been considered and some measure of protection applied. The risk of damage to infrastructure from physical threats therefore tends to have a low likelihood, albeit a high consequence. This report, however, focuses on the more rapidly developing and less immediately obvious risks that are associated with the growing dependence on IT.

IT Threats to Critical Infrastructure

IT threats (i.e. threats which do not include physical attack) to critical infrastructure may be categorised both by the motivation and resourcing of the attacker or other threat agent, and by the means of attack.

Threat agents could be:

  • staff making mistakes;

  • disaffected staff or contractors;

  • recreational hackers;

  • individuals seeking personal gain, e.g. through theft or extortion;

  • agents of organised crime, competing commercial interests or issue groups; or

  • agents of foreign governments.

These vary in the extent of knowledge and resource.

The types of IT-borne attack include:

  • denial of service attacks via the Internet;

  • hacking or cracking, whether leading to systems damage or breach of confidentiality;

  • malware - programs with covert malicious intent, including viruses, worms, and trojan horses;

  • malicious or inadvertent damage by insiders; and

  • the unlawful interception of messages (or actual theft of laptop or other computers).

Since the Internet has become so ubiquitous in developed nations, most IT-borne attacks have been carried out over the Internet. Internet based attacks have certain characteristics which explain their prevalence and impact:

  • Internet attacks involve action at a distance,in many cases crossing national borders, which offers the attacker a degree of anonymity and reduces the likelihood of punishment. This reduces the deterrent effect of legislation [ New Zealand is unusual among Western countries, in that it currently does not have legislation directed against hacking. A Bill to address this is before the House.] .

  • Like other IT-borne threats, Internet attacks often involve the use of computers for automatic repetition of some process, such as the use of dictionary searching tools to crack passwords, or viruses that replicate themselves without limit. This factor can leverage one individual's cleverness into an attack on infrastructure that has global impact. The size of the impact in this scenario bears no relation to the quantum of resources available to the attacker.

  • Once written, automated attack tools [ The authors of such tools are not necessarily malign or reckless, since they are in many cases intended for legitimate uses such as assessing one's own network for vulnerabilities.] become widely available on the Internet, and may be used by individuals who do not understand the tools or the consequences.

The Internet provides a wealth of opportunity for attacks on systems connected to it.

Vulnerability of Infrastructure to IT-Borne Attacks

Any area of infrastructure that uses IT-based control systems is vulnerable in principle. The greatest area of risk, in terms of the adverse consequence that could result, is any potential for unauthorised access to the IT systems used to manage infrastructure networks.

Where access is restricted to secure locations, the vulnerabilities are those of physical security and the risk that staff will do something malicious or mistaken.

Access through telecommunications (i.e. dial-up) to unstaffed network management facilities (e.g. electricity substations) is used by some infrastructure providers for efficient and prompt fault resolution. This introduces a new range of vulnerabilities, since there is a need for authentication of callers to the facility. The authentication system needs to be of strength commensurate with the risks posed by unauthorised access. The authentication system itself needs timely maintenance to ensure that, for example, resigning employees have their access revoked.

Interconnecting systems with the Internet provides benefits in terms of cost savings and functions that can be offered. Large infrastructure providers typically have their corporate business networks connected to the Internet, and have some kind of links between these and their network management systems. While awareness of Internet threats is high in many providers, it is hard to guarantee that unauthorized access to network management facilities is impossible.

Homogeneity of IT Systems

In information technology, New Zealand follows global trends in the choice of equipment and standards. Over the last decade the diversity of IT in wide use has decreased. This has happened because of:

  1. a desire for common open standards on the part of IT purchasers, partly as a measure to prevent vendor lock-in and monopoly pricing;

  2. the overwhelming success of the Internet, due in part to the quality and openness of the engineering on which it is built, effectively displacing other ways of connecting computer systems; and

  3. the exit of smaller computer manufacturers with unique equipment from the market (mainly for the reasons above) and the trend for specialised equipment to increasingly be based on off-the-shelf computers and operating systems.

These trends have led to a situation in which almost all computer networks use Internet protocols, almost all Internet routers are made by Cisco, most server computers use a version of Microsoft Windows or a flavour of Unix, desktop computers almost all use a version of Microsoft Windows, and where specialist machines such as are those in the power grid are increasingly controlled through widely understood machines of the types above. This is not meant to imply that these products are inherently less secure than alternatives. However, while homogeneity of systems leads to benefits in terms of efficiency and ease of use, it also makes all computers more vulnerable to attack. This is because having a large number of users increases the chance that lurking security problems are discovered and exploited, and because of the number of machines that can be compromised when problems do come to light.

The process of convergence to common IT standards may not be complete. Telephony, which is already dependent on digital technology, may move to use Internet protocols and Internet-style routers instead of the specialist switches and PABXs currently used. The Ministry of Social Policy has recently installed just such a system across all Department of Work and Income branches. This does not imply such a move is inherently risky, indeed it should pay dividends in terms of efficiencies and greater effectiveness. However, it is part of the general convergence of many kinds of technology to a few types whose details are very widely known.

Complexity

Continued technological development involves increasing complexity. Although the diversity of building blocks of IT systems is decreasing, the complexity of the blocks themselves is increasing very quickly. Each generation of computer chips has several times more transistors than its predecessor, and each new version of Microsoft Windows adds millions of lines of program code. More and more of these elements are interconnected in novel ways to offer greater levels of automation and control.

In this environment it is hard or impossible to test every possible combination of circumstances and user input. Commercial pressures tempt developers to ship products with known problems (some of which are security related), leaving solutions to the problems for product updates. Consequently problems, including security problems, are often found with widely used systems.

Availability of IT Security Staff

Securing computer systems and maintaining their security requires considerable expertise. Retaining staff with this expertise is difficult. Because of the premium these people can attract, they are often contractors or consultants. Anecdotal evidence suggests that IT skills in general, and IT security skills in particular are becoming scarce in New Zealand. There is a similar view in Australia. In an attempt to address this shortfall the Commonwealth Government is considering promoting specific centres of excellence in some universities.

With IT security skills in demand in the US and Europe they will always command a premium in New Zealand and Australia. The challenge for infrastructure owners is to manage risk in this environment. Government can help through initiatives to pool knowledge and expertise.

Legal Issues

Criminal Law

Globally, there are two main areas of criminal law which relate to hacking or other IT-borne attacks: so-called cybercrime, where electronic means are used to commit a non-IT crime such as theft; and the making of unauthorised computer access itself a crime.

There are international moves to agree definitions of cybercrime and to facilitate pursuit of offenders across international boundaries. The EU is attempting to negotiate such a treaty among its members. If it succeeds, other jurisdictions may well try to harmonise legislation. The New Zealand Police has also been considering cybercrime through its membership of the Australasian Centre for Policing Research.

Most developed nations have now enacted legislation making unauthorised access to computer systems a crime. New Zealand has yet to do this, although a Bill is before the House (the lack of such a statute may harm New Zealand's international reputation if not rectified soon). Enacting this legislation will make it easier to pursue New Zealand residents who break into computers, and also will make it more likely that requests by New Zealand law enforcement agencies for assistance to track computer vandals in other jurisdictions will meet with favour.

As currently framed [ Crimes Amendment Bill No. 6 as amended by Supplementary Order Paper No. 85] , the Bill before the House does not address denial of service attacks. This type of attack, discussed elsewhere in this paper, is an increasing problem on the Internet in New Zealand and overseas. There is a risk that New Zealand's legislation will remain out of step with other countries and with the real world if no attempt is made to make denial of service attacks a crime. Ministry of Justice officials are aware of this issue and are considering further amendments to the Bill to take it into account.

Disclosure

Gathering reliable numbers about incidents of this nature is hard since companies are understandably reticent about making disclosures that might harm customer confidence or shareholder value. There is sometimes a public perception that the public sector is more susceptible to IT related attacks than the private sector, but this may be due to the greater requirements for information disclosure in the public sector.

Without reliable figures planning protective strategies is difficult. A solution to this might be some trusted group that maintained an incident database in a suitably anonymised form.

Liability

Companies that own infrastructure would be unlikely to be liable in a legal sense if their infrastructure failed, unless it could be shown that they had failed to operate in accordance with widely accepted relevant standards.

An exception is the banking industry. As a condition of a banking licence, the directors of a bank are required to attest to prudent operation of their bank. This may make them personally liable in the event of failure.


[ Previous | Next ]