New Zealand's Cyber Security Strategy 2026-2030, released in February 2026, sets as a key priority of strengthening the cyber security of New Zealand’s critical infrastructure. The Strategy identifies that cyber-attacks against critical infrastructure are increasing and can have significant impacts on New Zealand. While New Zealand's geographic isolation has previously given us a sense of protection from many global security threats, that is not the case with cyber threats. The Strategy calls out that the country's critical infrastructure is at particular risk, with a reasonably high proportion nearing end of life, creating vulnerabilities that can be exploited by malicious actors to access core IT networks. It cites a 2024 survey that found that 80 percent of organisations did not have basic cyber hygiene in place to protect operational technology (OT).
This is a significant problem. As infrastructure becomes increasingly digitised and internet-connected, the convergence of OT and IT systems means that a successful cyber-attack on physical infrastructure can now be carried out remotely, without an attacker ever setting foot in New Zealand.
In our experience, the contracts that govern the building and management of much of this infrastructure often do not deal with cyber security in a way that is commensurate with this risk. These contracting practices stem from a long-standing physical infrastructure context, where digitisation has only more recently become a key component of many projects. To achieve greater security, infrastructure owners will need to ensure their contracting practices with suppliers properly address cyber risk.
The growing threat to operational technology
The Strategy, and its companion discussion document on possible regulatory measures for the cyber security of New Zealand's critical infrastructure, paint a vivid picture of an escalating threat environment. The discussion document notes that New Zealand currently takes a predominantly voluntary approach to cyber security, and that the level of investment across the critical infrastructure sector is not always proportionate to the threats faced.
The National Cyber Security Centre's (NCSC) Malware Free Networks service is reported to have disrupted over 473 million malicious cyber events in 2024/25, compared to 10.3 million the year before. A cyber-attack on the Auckland electricity system has been modelled as likely to cost over $1.6b. Beyond financial loss, consequences can include public health risks, disruption to essential services and erosion of trust in our most significant businesses and government.
The threat is not hypothetical. New Zealand has already experienced significant cyber incidents, including the Waikato District Health Board ransomware attack in 2021 which disrupted health services for around 400,000 people, and the more recent Manage My Health breach that compromised the personal data of around 100,000 patients. State-sponsored activity has also been observed in New Zealand, with the NCSC publicly linking malicious cyber activity to groups affiliated with the People's Republic of China, including the Salt Typhoon campaign that has targeted telecommunications infrastructure globally.
A new dimension: AI and vulnerability discovery
A further dimension to the threat landscape has recently emerged. Quantum computing has often been cited as a possible step-change in cyber security, with the potential to make it vastly easier to compromise systems. However, AI may bring that reality closer, and sooner. Anthropic, one of the leading generative AI developers, recently announced Project Glasswing, an initiative involving major global technology companies aimed at securing the world's most critical software. This project grew from Anthropic revealing that its latest AI model, Claude Mythos Preview, had autonomously identified thousands of previously unknown, high-severity vulnerabilities, including flaws in major operating systems and web browsers used by almost all of us. Some of these vulnerabilities had apparently survived decades of human review and millions of automated security tests.
AI has possibly reached a level where it can surpass human experts at finding and exploiting software vulnerabilities. The implications are concerning if these capabilities are leveraged by cybercriminals or other malicious actors targeting our critical infrastructure. For organisations managing critical infrastructure, this is a further prompt to examine and address their cyber security posture now.
The contractual gap in infrastructure projects
While the cyber security dimension of ICT contracts has long been recognised as critical, the same is not always true for infrastructure contracts. Contracts for the design, build and operation of physical infrastructure have historically focused on the physical asset. Cyber security, where addressed at all, risks being treated as an afterthought or dealt with by brief, generic obligations.
This matters because modern infrastructure is not purely physical. Supervisory control and data acquisition (SCADA) systems, industrial control systems and building automation systems are embedded throughout New Zealand's infrastructure. These systems, once largely isolated, are now increasingly connected to corporate IT networks and the internet, creating new points of vulnerability.
We have seen in our own practice the consequences of this gap. Contracts for critical systems have sometimes been in place for years where their owners have assumed suppliers were applying certain security controls, when in fact they were not. When those assumptions are tested, the results are often expensive remediation projects, disputes about responsibility and, most importantly, systems left vulnerable in the interim.
What should organisations do?
Some of these next steps may be imposed through regulation. The DPMC's February 2026 discussion document (available here) on cyber security in critical infrastructure proposes a tiered regulatory framework that would require critical infrastructure entities to develop, implement and maintain a cyber risk management programme aligned with an internationally recognised framework such as NIST CSF or ISO/IEC 27001:2022.
Under the proposal, third parties with operational control of infrastructure, such as suppliers or contractors, would be required to support risk management. It is not yet clear how far that obligation would extend, but in the comparable area of data protection, the Privacy Act 2020 places obligations almost entirely on one party (akin to the infrastructure manager), which must then pass those obligations on to its suppliers by contract. That approach is sometimes at odds with each party's actual degree of control, requires agreement that may not always be achievable, and is out of step with the regulatory frameworks of some other jurisdictions, most notably in Europe and the UK. If cyber security regulations go a step further, as proposed, and place direct obligations on contractors, that may reduce the burden on infrastructure managers to ensure protection solely through their contracts.
Regardless of how that regime develops, organisations involved in infrastructure projects, whether as owners, contractors or technology suppliers, should act now to better protect our critical national infrastructure. Those steps might include:
- Reviewing current infrastructure to establish what security measures are currently in place
- Reviewing existing contracts for infrastructure to identify whether cyber security obligations are adequate, and auditing suppliers' performance to assess whether they are being met
- Ensuring new infrastructure contracts address cyber security from the outset
- Engaging with the outcomes of the DPMC consultation process, as that may have significant impacts for both infrastructure managers and their suppliers (consultation closed on 19 April 2026).
If you have any questions about cyber security in infrastructure projects, please get in touch with one of our team.
