Not long ago, the idea of a cyberattack shutting down a city’s water supply or taking out electricity to thousands of homes in the middle of winter would have seemed like something out of a thriller. Today, it’s an increasingly plausible scenario and not just overseas.

New Zealand’s critical infrastructure is now operating in an era where cyber threats are faster, smarter and harder to detect – thanks in no small part to artificial intelligence.

We’ve seen AI dominate headlines with tales of productivity boosts, chatbots and automation. But there’s a growing unease in the cybersecurity community that AI is being adopted just as rapidly by those with more malicious intentions.

AI and infrastructure = the perfect storm

As someone who’s worked across operational technology environments, from water and energy to agriculture, I’ve seen firsthand how thinly stretched some of our most essential systems are. Many are still run by small local teams or legacy software, without the budget or people power to match the complexity of today’s cyber landscape.

That makes us vulnerable.

AI enables bad actors to automate reconnaissance, launch convincing phishing campaigns at scale and exploit known vulnerabilities in systems with precision and speed.

Some of the most concerning developments we’re tracking involve AI-generated “deepfakes” being used to impersonate senior decision-makers (like political leaders in the Australian election) and authorise fraudulent activity.

These tools are no longer only in the domain of highly resourced cybercrime syndicates. AI-as-a-Service offerings are popping up on underground forums, where anyone with a few hundred dollars and malicious intentions can rent tools to mimic human behaviour and exploit weaknesses in our infrastructure.

So why New Zealand?

There’s a common myth in New Zealand that we’re too small, too remote, or too neutral to be of interest to cyber attackers. But for sophisticated threat actors – including nation-state groups – those traits can actually make us more appealing.

We’re a digitally connected country with pockets of world-class capability but when it comes to securing our critical infrastructure, we’re inconsistent.

Many of our essential services, like water treatment and electricity, are managed by regional councils or small authorities, often with limited resources and ageing technology. There’s no universal standard for operational technology (OT) security and that patchiness creates opportunity.

With this, New Zealand is seen as a low-risk testing ground. Threat actors can trial methods here without drawing global attention – quietly probing for weaknesses, refining tactics and scaling them elsewhere.

We’re already seeing signs of this here locally. In Q4 2024, the National Cyber Security Centre responded to 100 incidents affecting nationally significant organisations.

That figure is slowly climbing (up from 98 in Q3 2024) and it doesn’t capture attacks that go undetected, particularly in OT networks, which often lack visibility tools.

Protecting what matters most

AI is no longer a future threat in the world of cybercrime, it’s already reshaping how attacks are launched, scaled and concealed.

For New Zealand, that means the days of relying on “best efforts” or post-incident fixes are over.

We need to shift to a model of predictive defence. That means systems capable of spotting unusual activity in real-time, segmenting critical networks to limit exposure and learning from global threat intelligence to stay ahead.

Crucially, this isn’t just about deploying smarter tools – rather, it’s about embedding cybersecurity into the design of our infrastructure from the start.

We also need greater clarity and consistency in regulation. It’s not enough to protect data privacy. In a small country, the opportunity is to develop national standards that provide a consistent approach across local and national infrastructure.

This provides an efficient way to safeguard the systems we all depend on, from regional water supplies to public hospitals and electricity networks.

The stakes are not abstract. They’re tangible, everyday risks: clean water, functioning health services and power in homes during a freezing winter.

As AI continues to transform how we work and connect, we must also reckon with how it’s transforming the way we’re targeted. That means expanding the conversation beyond IT teams and into boardrooms, council chambers and cabinet discussions.

Because ultimately, this isn’t about networks and firewalls, it’s about protecting the systems that hold our society together.

And in my view, that conversation can’t wait.