Cybersecurity in water

Overcoming vulnerabilities to build a vigilant, resilient and secure critical water infrastructure
Authors: Sunil Sharma, Mike Tocher, Aijaz Shaik, Anne-Marie Kirkman
Mooserboden water reservoir and concrete dam
According to GHD analysis, about a quarter of global water systems will likely have experienced a cybersecurity breach by 2025.
Overcoming vulnerabilities to build a vigilant, resilient and secure critical water infrastructure

The risks of cyber-attacks are increasing globally, and the high profile 2020 Waikato Hospital cyber-attack, and subsequent, increasingly sophisticated attacks on Auckland Transport, among others, have made it clear that New Zealand is not immune. Accelerated digital transformation and connected operational technology are broadening the cyber risks.

It’s time to understand the implications of targeted attacks against critical utilities and infrastructure and take action. Boards and senior leaders are responsible for protecting New Zealand communities and must act intentionally to safeguard our places, spaces and people. For leaders unsure of their cyber risks and vulnerabilities, now is the time to ask questions.

The next five years will see New Zealand’s water industry fundamentally change in the way it operates. The growing regulatory focus on large infrastructure is set to drive the next wave of cybersecurity changes. With Australia leading the way in operation technology cybersecurity, strengthened guidelines or legislation updates are likely on New Zealand’s periphery.

If we consider the Australian journey as an example, the four-year gap between the Security of Critical Infrastructure Act 2018 and the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 gave Australian organisations time to step-up. And today, the risk management practices of critical infrastructure providers in Australia have never been stricter. The time is now for New Zealand to prepare for the equivalent and review risks before it becomes a mandated requirement.

While this white paper takes a global lens, it remains relevant to New Zealand’s evolving cyber landscape. We anticipate radical shifts, including regulations and heightened public scrutiny, which demands new approaches and solutions. Among the myriad of risks is the shift of SCADA (supervisory control and data acquisition) systems to virtualised web-based platforms, introducing the inherent risk of technology change.

Although New Zealand has made progress in its cyber maturity, work remains and must happen soon. Leaders must put the risks and vulnerabilities under a microscope and cybersecurity must be holistically integrated into operation strategy and company ethos.

Keep reading: Discover a holistic cybersecurity approach

Water treatment system

Enhancing cybersecurity in water requires a multifaceted approach that addresses people, process, and technology issues. Here are the key steps that should be undertaken to improve cybersecurity in water.

Read the full report