Skip to content.
|Networking government in New Zealand.
You are here: Home » Policies » Trust and Security » E-Government: Protecting New Zealand's Infrastructure From Cyber Threats » The Current State of Infrastructure Protection in New

The Current State of Infrastructure Protection in New

Finance and Banking

The New Zealand finance and banking sector contains retail banks, other financial institutions and purely infrastructural organisations. Retail banks are licensed by the Reserve Bank of New Zealand, which imposes various conditions on their operation. Each bank runs its own retail account processing system. Most maintain accounts with the Reserve Bank from which they pay each other during the course of each day. Interchange and Settlements Limited (ISL) operates payment "switches" which route transactions from one bank to another. Similarly a company called ETSL operates the main EFTPOS switch.

The players in the New Zealand wholesale financial markets, who include offshore banks and investment funds managers as well as the New Zealand retail banks, use a system called Austraclear to exchange New Zealand dollar debt securities and wholesale cash transactions. Austraclear is currently operated by the Reserve Bank. Billions of dollars flow through it daily.

Banks have always been highly conscious of the need for security. All banks and interchange facilities spoken to were confident about the security of their core systems and Internet sites.

The main area of concern identified is the desire of some New Zealand banks to move their retail processing offshore. At least one has already done this and others are reportedly considering the move. The Reserve Bank of New Zealand is planning to move the computers for its real time gross settlement system to Australia. This system manages the relative position of all New Zealand banks and is core to the banking system. The Reserve Bank also plans to move its Austraclear computer systems to Sydney.

There are two main risks in the movement of banking systems offshore. Firstly, adverse events in Australia, such as industrial action, would be outside any New Zealand control yet could have a highly adverse impact here. This is not to argue that the labour markets or other factors in the two countries render disruption more likely with systems being offshore. Rather, the New Zealand Government would be less able to manage an extreme situation involving critical New Zealand infrastructure if this is located offshore than it would otherwise be.

Secondly, trans-Tasman telecommunications circuits, or their local (Australian) links to the computer systems, might fail leaving New Zealand disconnected from its banking system. Even with the much improved robustness and diversity of trans-Tasman links this represents a greater risk than running systems onshore, since there will always be greater capacity and robustness between, say, Wellington and Auckland than between Wellington and Sydney. A similar argument to the one above applies in respect of the domestic Australian links necessary to connect the computers to the trans-Tasman cables.

The Reserve Bank leases its trans-Tasman circuits from diversified carriers, and has back-up arrangements for satellite links should the cable be seriously disrupted. Additionally, the Bank has formal business continuity plans for loss of communications and these are tested six-monthly. The BCPs are based on reverting to alternative modes of operation, with a bottom line being continuity of service to customers in the event of communications failures.

The RBNZ is moving to interdependency with international banking, a move that the rest of the New Zealand banking sector also appears to be adopting. Notwithstanding the apparently solid business continuity planning processes established and tested by the banking and finance sector, the move offshore does increase the reliance on extended telecommunications paths and perhaps raises issues of sovereignty. Stringent risk assessment processes need to be implemented to ensure that the telecommunications and sovereignty risks do not outweigh any operational gains.

Transport

The only significant section of national transport infrastructure potentially vulnerable to information-related threats is the air traffic control system. This is operated by the Airways Corporation, which is a state-owned enterprise. The major vulnerability is loss of telecommunications which are, in the main, provided via leased bearers. However, most communications links can use multiple routes. Further back-up using satellite capacity is under consideration. Airways Corporation also has a strong service level agreement with its telecommunications provider.

Airways' main operations centre is located in Christchurch. Also in Christchurch, but in a separate building are Airways' research and development facility, software development facility and a simulator system which can assume most of the functions of the main operations centre. Airways' control room at Ohakea provides contingency back-up for Christchurch although extra staffing at Ohakea would be required. (This might be an issue if staff could not be relocated from Christchurch, e.g. after a major earthquake there.) All Airways' computer systems are locally maintained so there is no remote access to any of its systems. All IT staff undergo security checks. The Internet is not used operationally other than for e-mail with some secondary sites.

Two strengths of Airways' systems are business continuity planning and audit. All operational equipment has at least one back-up system, and rigorous BCPs have been developed. Strong security audit regimes are in place: the Civil Aviation Authority undertakes an annual audit of centres and regions; internal audits are undertaken annually by each Airways business unit; and ISO 9001 certification audits are undertaken by Quality Assured Services. Airways has also put considerable urgency into development of full risk analysis processes and risk analysis is part of the internal audit process.

There is good recognition of infrastructure vulnerabilities in the New Zealand aviation industry, and no major area of concern has been identified.

Electric Power

The electric power industry in New Zealand comprises a number of generators, the national power grid operated by Transpower, local infrastructure ("lines companies") and the various power retailers.

The generators mostly have a number of power stations of different types. While it is quite possible to imagine that these have vulnerabilities, no one generator, or particularly no one power station, is crucial to ensuring continuity of supply. If any one generation company were to fail totally, under most circumstances New Zealand would have enough power. The issue of protection therefore becomes one of commercial prudence for each company, and need not be examined further here.

The retailers, while they market and account for power, do not own the infrastructure - the local lines - which is used to deliver it. Damage to their computer systems and records would harm only their own businesses and they have every commercial incentive to ensure that this does not happen.

Failure of the core networks of Transpower or the lines companies would cause loss of supply. This is not to imply that they are in any way suspect; rather that Government has a greater interest in their continued delivery.

The Transpower network comprises various switching points and substations interconnected by transmission lines, including the inter-island link. This network is managed through remotely controlled equipment placed throughout the network.

Transpower has two fully staffed operational Centres providing full operational backup and one, normally unstaffed, management support Centre that can provide additional resources in the event of widespread disaster. Operation of the national grid does not depend heavily on external telecommunications since Transpower owns 60-70% of its telecommunications links. In an extreme situation, if the network were unable to be managed actively, it would continue to deliver power unless there were a major change in demand or supply.

Transpower takes its responsibilities in respect of continuity of supply extremely seriously. However, with the increasing reliance on information technology to manage the power distribution network there may be a need for greater central focus on the IT security aspects of network design. In recognition of this issue Transpower has recently established an executive level committee to drive security in all parts of its network, and is drawing on work done in the US to consider information-related threats and vulnerabilities to its operations.

The project team has been unable to gather any information about the protection of electricity lines companies' infrastructure assets. Given that there are several such companies, each with an effective monopoly in their respective areas, there would appear to be scope for industry co-operation to provide mutual assurance of infrastructure security.

Telecommunications and the Internet

New Zealand has a number of companies offering telecommunications and Internet services. The major telecommunications companies ("telcos") operating in New Zealand offer robust domestic voice and data networks.

New Zealand's international telecommunications pass through one of three submarine cables, or go via satellite. Submarine cables are vulnerable to damage by anchors and fishing gear and to sabotage. The cables were laid some years apart. Each successive cable has many times the capacity of its predecessor. Failure of the highest capacity cable would thus have a severely detrimental effect on New Zealand's connectivity with the rest of the world.

The newest cable, Southern Cross, takes the form of a ring connecting New Zealand, Australia and North America. If part of the ring is severed, traffic will be routed through the remaining segments to ensure that connectivity is not lost. To reduce the risk of damage, in water depths of less than 1,500 metres Southern Cross cables are buried beneath the sea-bed. Southern Cross is designed to have a much higher reliability than older cables. The likelihood of total failure of Southern Cross must be seen as very low. As Southern Cross becomes fully commissioned through 2001 the risk of a major loss of offshore telecommunications will decrease significantly.

The movement of banking systems to Australia (discussed elsewhere) greatly increases the impact of any failure of international telecommunications. This threat has to be seen as one of low likelihood (that sufficient cables are damaged to disconnect the banking system) but high impact - failing to process bank transactions would have a severe effect on many individuals and the economy as a whole.

Inter-island telecommunications currently pass through two Cook Strait cables owned by Transpower. They are periodically subject to damage by fishing vessels. Despite legislation to protect the cables, no one has ever been prosecuted for this damage. Furthermore both cables are laid reasonably close to each other across the sea bed and use the same landing points. To mitigate the risk of cable failure, Transpower has made arrangements for priority access to a specialist cable repair vessel. However there would still be a delay of days or weeks after breakage before repair could be completed. There is a backup arrangement for inter-island communications using a microwave link, but this does not have adequate capacity to provide normal service if both cables were unavailable.

Resource consent is currently being sought for two separate high capacity inter-island cables to be buried along different routes in the sea bed. It is hoped that they will be commissioned in 2001. Once implemented, these will greatly improve the security of inter-island communications.

The Internet

The Internet is increasingly both an important business tool and an infrastructure for commerce. It is central to the whole notion of e-government.

The Internet's importance impels businesses to connect their systems to it. There are, however, significant security risks in interconnecting business systems and the Internet.

It is the nature of the Internet to be open to all, highly decentralised, and to allow (or even encourage) very rapid technical innovation. These attributes, while they have facilitated the explosive growth of the Internet, also lead to significant threats to machines connected to it. The vulnerabilities described below do not just apply to Internet business, but to all businesses with an Internet connection.

Security weaknesses are frequently discovered in hardware and software in common use. These vulnerabilities are often published on the Internet, together with "exploits" - detailed instructions (or actual code) that uses the vulnerability to demonstrate a security breach. Updates to resolve security issues (called patches) are generally, but not always, made available by software vendors soon after the publication of vulnerabilities. As soon as a vulnerability for a specific piece of software is published, computers using that software and attached to the Internet have to be regarded as insecure until the software has been patched.

The existence of software with known vulnerabilities running on machines connected to the Internet is exploited by individuals ("hackers") who for whatever reason like to compromise computer security. Sometimes hackers just look at systems they have penetrated, other times they cause damage by changing or deleting files. Hacking into web servers to deface web sites is quite common, and has been done to many organisations including the CIA. Web site defacements are currently running at about 20 per day across the whole Internet [ http://attrition.org/mirror/attrition/stats.html] , with an increasing trend. Having a high public profile, particularly one concerned with security, increases the attempts made to deface a site. All organisations with web sites need to remain vigilant about the security of their machines and monitor them for any evidence of break-ins.

Viruses and similar programs attempt to spread copies of themselves widely. Some also cause deliberate damage, or more sinisterly seek specific information, which they then transmit to a remote Internet address. Most modern viruses use Internet email to spread themselves, and many use the specific automation features of Microsoft desktop products. The use of virus scanners is essential, as is keeping them up to date. The rapid spread of novel viruses (such as the "love bug") can be controlled if systems administrators are notified immediately and take urgent action.

Another type of attack is the denial of serviceattack (DoS). This exploits features of the Internet protocols to overwhelm a target computer with a flood of requests it cannot meet, resulting in a reduction or loss of service from the target machine. This technique is often used against web servers. An extension of this technique is the distributed denial of service (DDoS) which uses the resources of a large number of machines which have been effectively commandeered, to attack a single target. Such attacks are difficult to defend against and almost impossible to trace back to their originator.

These attacks are becoming common against New Zealand targets. As well as effectively forcing their target off the Internet, DOS attacks result in degraded or denied service to other customers of the same Internet Service Provider as the target and may cause wider degradation of service on the New Zealand Internet. The addition of new offshore bandwidth in the form of the Southern Cross cable may exacerbate this problem since it permits attacks of much greater intensity.

Oil and Gas

There are a number of different companies involved in oil distribution in New Zealand. The main retailers are very competitive and are fully aware that any failure on their part would result in loss of market share as consumers switched to alternative suppliers. The Marsden Point oil refinery is shared by several oil companies, but this only provides a proportion of New Zealand's petroleum products (since some are imported). Failure of the refinery for whatever reason would be subject to normal contingency plans for this event. The coastal tanker fleet is also shared, but is not thought to be vulnerable to IT based attack.

Gas is widely used for domestic heating and also supplies at least one power generation station. However it is questionable whether it can be regarded as critical. The commercial incentives on the companies providing gas services are regarded as sufficient to ensure that they protect their infrastructure adequately.

Emergency and Government Services

Defence

The New Zealand Defence Force makes extensive use of telecommunications, both national and international. For example, NZDF establishments throughout the country are interconnected over leased telecommunications bearers. Communications with deployed forces overseas, and communications with allied nations also generally use leased bearers. Considerable use is also made of the Internet for unclassified communications. But the NZDF also has its own integral communications capabilities with the capacity to provide 'thin red line' communications in the event of disruption of the national or international carriers and has the tested capability to provide emergency communications for government in the event of civil or other disaster.

The NZDF has completed a risk assessment of its communications infrastructure and has established contingency plans. While these plans have not been specifically tested, the reality is that every exercise, operation or deployment routinely exercises the plans under normal operational circumstances.

In general terms, the NZDF is a self-contained force with the ability to continue operations, or to contribute to the national good, in the event of degradation of the infrastructure. As evidenced by the strategies of our partner nations, the NZDF needs to be closely involved in critical infrastructure protection planning.

Police

The New Zealand Police enterprise communications network has switch centres in Auckland, Wellington and Christchurch with sufficient redundancy to ensure that operations will be unaffected by the loss of any one centre. The backbone network uses shared sites although some sites are Police owned. The Police telephone system is outsourced.

A comprehensive risk analysis and BCP were completed as part of the Y2K programme. The BCP has now been rolled over into a corporate BCP and a formal risk assessment framework has been established. From the New Zealand Police perspective, the most critical infrastructure element is probably power.

Emergency (111) service is operated by a contractor to Telecom, which passes calls to police, fire or ambulance as appropriate. Police and fire share the emergency communications network, but ambulance services are disparate organisations so are not integrated. A key police development strategy is the implementation of a common network for all emergency services.

Like the NZDF, the NZ Police Force is self-contained with the ability to continue operations, or to contribute to the national good, in the event of degradation of the infrastructure. Police also needs to be closely involved in critical infrastructure planning.

Fire

The New Zealand Fire Service uses communications facilities which it shares with the New Zealand Police, and which are discussed under that heading. There are no significant concerns in this respect.

Revenue and Income Support

Inland Revenue Department and Department of Work and Income handle high volumes of time-critical financial transactions for Government. Disruption to these departments' core infrastructure might have adverse effects for many New Zealanders.

IRD has invested considerable effort to ensure that its services remain available. It has a strong security focus, and is aware of the vulnerabilities associated with Internet connection as it moves toward a greater use of e-business. Some IRD computer facilities are managed by external companies, but IRD maintains a detailed level of control over the use of the computers. Like most other large businesses, IRD requires telecommunications for its day to day business, and has gone to lengths with its telecommunications supplier to ensure an adequate service level. IRD maintains and tests comprehensive business continuity plans.

To pay benefits and pensions the DWI relies on its computers, which are facilities managed by EDS. Critical systems are operated from the Upper Hutt data centre; there are backup computers in an Auckland data centre. DWI also depends on the data and telephony network provided by the Ministry of Social Policy, using Clear as a carrier. A high standard of IT security is provided for DWI by MoSP, but staff security and physical security are handled by a security function within DWI. There may be value bringing the responsibility for these functions together.

Water

Water is supplied by local authorities and is not part of a national infrastructure as such. The Parliamentary Commissioner for the Environment has recently released a report [ Ageing Pipes and Murky Waters] examining issues and risks around water supply. This notes a number of major challenges including a risk of infrastructure failure. However, this is not an information related risk and will not be investigated further for this project.


[ Previous | Next ]