Two years on from Cyclone Gabrielle and the Auckland Anniversary Floods, the focus remains on action. Have New Zealand’s infrastructure owners improved or changed how they assess risks to make their critical infrastructure more resilient? What are the risks that threaten to disrupt or damage our infrastructure, and just how resilient are New Zealand’s critical infrastructure networks today?
Infrastructure exists to support communities by delivering to defined service levels, but when it is offline, damaged, or unreliable, it heavily impacts businesses and communities. New Zealand is at risk to both natural hazards and man-made threats, including earthquakes, wildfires, flooding, economic sabotage, foreign interference, terrorist activity, misinformation - the list goes on. Given the wide range of hazards and threats, we need to take a more holistic view so we can collectively increase resilience across our critical infrastructure.
New Zealand’s vulnerability
It’s not surprising that New Zealand’s Infrastructure Commission, Te Waihanga, in its Infrastructure Strategy has “strengthening resilience to shocks and stresses” as one of its five objectives to achieve a thriving New Zealand. As the incoming briefing to Hon Mark Mitchell, Minister for Emergency Management and Recovery, identified in late 2023 that “climate change is increasing the frequency and severity of weather-related emergencies, such as floods, landslips, droughts, heatwaves, and wildfires. While there is growing attention being paid to climate change related risks, it is important to note New Zealand also faces considerable risk from geological related emergencies such as earthquakes, tsunami, and volcanoes.”
The National Security Intelligence Priorities, approved by Cabinet in 2023, also “help us to understand and take action on the national security issues, threats, and drivers of instability”, including the “threats to the sustained operation of critical infrastructure”. New Zealand’s critical infrastructure is at increasing risk from man-made threats, ranging from individuals wishing to cause harm, through to deliberate State-sponsored attacks, together with geopolitics drawing New Zealand into ever-increasing competition regarding the balance of power in the South Pacific.
New Zealand's critical infrastructure faces unique risks from natural hazards such as earthquakes, volcanic eruptions, and extreme weather events.
The cost of damaged infrastructure
Not surprisingly, New Zealand is currently ranked by Lloyd’s of London, a leading insurance marketplace, as second only to Bangladesh for vulnerability to natural hazards in terms of average annual losses in relation to the size of the economy. As an isolated island nation with an export-driven economy, we face significant annual losses caused by natural hazards. Our risk profile is further heightened by the fact that less than half of our public assets actually have insurance cover, which essentially means tax payers are self-insuring the costs of repairing damaged public infrastructure.
Recent forecasts and projections reveal that the costs to New Zealand and risks to our regions are significant, with costs associated with government response and recovery to disaster events growing faster than revenue. These projections suggest costs could increase by more than 50% each decade, climbing from $0.7 billion in 2020 to $3.3 billion by 2050. Many regions also face storm-related expenses that are growing faster than their regional incomes.
Why do we need to broaden our approach?
Resilience, described by the United Nations Office for Disaster Risk Reduction as the ability to withstand and recover efficiently from hazards, is essential to avoid harm to lives and mitigate large economic losses when infrastructure is damaged. Currently, the Civil Defence Emergency Management Act 2002 outlines our approach to hazard readiness and response, including defining our lifeline utilities; covering electricity, water, wastewater, broadcasting, telecommunications, road and rail.
Banking, financial services & grocery supply chains should be considered critical infrastructure due to their essential role in maintaining economic stability and security.
However, with interdependent infrastructure and increasing urbanisation, communities and businesses are now also heavily dependent on electronic banking, and food and grocery supply chains, which means we need to broaden our approach to what is considered critical infrastructure. Te Waihanga’s recent report also highlights that for effective risk management, infrastructure providers need a clear understanding of their assets and all the risks they face.
As identified in the New Zealand Security Intelligence Service Threat Environment Report 2024, being part of the global village and marketplace has many benefits for New Zealanders, but it comes with risks. Where we once relied on our ocean borders for security, we can no longer do this in a world where our intellectual property can be secretly transferred overseas.
Learnings from overseas
We are not alone with increasing our resilience to natural and man-made hazards. As a member of the Five Eyes intelligence sharing network with Australia, Canada, the United Kingdom, and the United States, we can learn from what others have been doing. This network aims to strengthen cooperation between member countries by addressing threats to critical infrastructure, as well as to share information, practices and ideas on domestic policy and operational approaches to critical infrastructure security and resilience.
In 2018, Australia implemented its primary critical infrastructure security legislation, the Security of Critical Infrastructure Act 2018 (SOCI Act). The SOCI Act looks to improve the security and resilience of critical infrastructure by identifying organisations and infrastructure essential to Australia. They have identified 11 critical infrastructure sectors, including communications; data storage or processing; defence; energy (electricity, gas, and fuel); financial services and markets; food and grocery; healthcare and medical; higher education and research; space technology; transportation; and water and sewerage.
In comparison to New Zealand legislation, the SOCI Act creates clear obligations on those Australian entities responsible for critical infrastructure assets, including:
- The ability to impose enhanced cyber security obligations on Australia’s most important critical infrastructure assets as Systems of National Significance (i.e. if disrupted could have significant cascading effects on Australian society and national security);
- The reporting of operational and ownership information to the Register of Critical Infrastructure Assets, managed by the Department of Home Affairs;
- The establishment of a Critical Infrastructure Risk Management Program that requires entities to identify and mitigate the personnel, physical or natural, cyber and supply chain risks to the critical infrastructure asset;
- The requirement to report cyber security incidents to the Australian Cyber Security Centre’s ReportCyber portal; and
- Responsive government assistance measures to allow the government to support industry in responding to a serious cyber incident.
Cyclone Gabrielle caused significant unprecedented damage to many communities across the North Island of New Zealand.Change is coming in 2025
Before Cyclone Gabrielle in 2023, New Zealand was proposing changes to recognise critical infrastructure with an Emergency Management Bill that aimed to strengthen how local government manages emergencies, with a focus on response and readiness. The Bill also sought to recognise the role of local iwi in emergency management, and require critical infrastructure entities to plan for and report on emergency levels of service.
Mātauranga Māori is a vital source of local information regarding hazards and evaluating possible options to mitigate. As identified by the Te Waihanga Infrastructure Strategy, “Mātauranga Māori is community-based and collective knowledge that offers valuable insights that complement Western scientific data with chronological and landscape specific precision and detail.”
However, following a change of Government and the findings of the Severe Weather Inquiry, the Bill was later discharged. The decision reflected priorities to address similar goals through separate work led by the Minister of Infrastructure, including plans to enhance the resilience of New Zealand’s critical infrastructure with a new Bill expected sometime later this year.
So, how can you start increasing your resilience?
Increasing resilience as an infrastructure owner can be challenging - especially with increasing costs, reduced funding, whilst also recovering from previous events. However, as seen in Australia, this process is a journey of maturity for all involved. Some organisations in Australia have gradually updated their existing risk management practices to increase their understanding and align with SOCI requirements, while others have strengthened ties with local emergency services to align their readiness and response plans. Some organisations are actively working and collaborating across industry groups to standardise their approaches and share learnings, while others are still starting out but understand the relevance and small steps needed to increase their resilience.
It’s therefore important that infrastructure owners broaden their understanding of the hazards and threats in which they operate, including taking an all-hazards approach, so they can fully capture the spectrum of risks. As listening, sharing and learning from others is usually the quickest and most cost effective way, to then plan and take steps to identify risks to critical assets, and put mitigations in place which are proportionate to the hazards and threats faced.
Keen to learn more? Andrew Livermore and Jonathan Howe will be presenting a Masterclass on Australian Critical Infrastructure Reform and Lessons for New Zealand at this year’s Infrastructure Resilience conference with Infrastructure New Zealand and Brightstar.
Contact Andrew Livermore or Jonathan Howe directly using the links below, or head to the event page for more information.