28 Mar 2023

New Zealand's critical infrastructure vulnerable to hackers - Cyber security expert

1:02 pm on 28 March 2023
Ransomware alert message on a laptop screen - man at work

One way cyber criminal groups make money is by selling their ransomware as a service, cyber security expert Marty Edwards said. Photo: 123RF

An international cyber security expert believes New Zealand's critical infrastructure remains vulnerable to hackers, and warns consumers will pick up the tab as firms face costly system upgrades.

Key infrastructure has come under attack in recent months, including December's attack on the IT service provider that supported the Ministry of Justice and Te Whatu Ora.

Former US Homeland Security director Marty Edwards said under-investment in cyber security meant criminals exploited vulnerabilities that were well-known.

Edwards, now at cyber security firm Tenable, said there was one area that was of particular concern.

"Many of the vital services that we depend on in our day-to-day lives such as food supply, those systems are increasingly run by small black-box computers that are sprinkled around in things like power grids and water treatment systems," he said.

"Those systems really were never built with security in mind and we need to take a hard look at how do we secure those types of systems."

Consumers would end up facing higher costs as firms upgraded their systems, Edwards said.

"Ultimately, companies are going to pass along the costs of whatever improvements they're required to make in the cost of their end product.

"If you're an energy producer that's sending electricity to homes in New Zealand, the cost of the electricity should include some cyber security expenses," he said.

Companies and government agencies have also been warned to look out for the rise in so-called hacktivism that may be targeting their systems.

Hacktivism is a form of internet activism where groups hacked websites to promote a political agenda or social change.

Notable hacktivist groups included Anonymous and WikiLeaks.

Edwards said hacktivists often worked with cyber criminal groups.

"These criminal organisations - they just want to make money. If the one way they can make money is by selling their ransomware as a service, they basically put together tool kits," he said.

They were sophisticated operations, Edwards said.

"These criminal organisations are run like small companies. They have payroll departments, they have tech support - if the malware or the ransomware that you purchase from them doesn't work, you call their toll free phone number."

Get the RNZ app

for ad-free news and current affairs