Cyber security of critical water structures not watertight

There is scope for further improving the way in which tunnels, bridges, locks and dams are protected from cyber threats. Although the Directorate-General for Public Works and Water Management has made a great deal of progress in the past few years in identifying the action needed in order to improve the security of water structures, not all security measures have been implemented. We found that the Minister of Infrastructure and Water Management needs to take further action in order to meet the Ministry’s own cyber security targets.

Cover report Cyber security

Sea defences and water management are crucial to the country’s physical security. In our audit, we looked at the way in which critical water structures are protected against cyber attacks. This audit is part of a series of audits of information security and cyber security in central government.

Critical water structures use computer systems many of which date back to the 1980s and 1990s. Over the years, these systems have been linked up to computer networks, for example in order to facilitate remote operation. This has made these systems more vulnerable to cyber crime. According to the Directorate-General for Public Works and Water Management, modernising the systems in order to eliminate any risks would be both technically challenging and costly. For this reason, the Directorate-General has decided to focus its efforts on detecting and effectively responding to cyber attacks.

Our audit shows that staff from the Directorate-General have inspected all tunnels, bridges, locks and other water structures in recent years and identified the cyber security measures that are required. Although around 60% of these measures had been implemented by the beginning of 2018, the Directorate-General has failed to ensure that the remaining measures are implemented and does not have up-to-date information on their status. The Directorate-General has not sought to oblige its regional offices to implement the remaining measures. In addition, cyber security has not yet been fully included in routine inspections.

The Minister has designated a number of water structures managed by the Directorate-General for Public Works and Water Management as critical structures. An attack on the IT underlying these water structures could have a massive impact on the Netherlands. Our audit shows that not all critical water structures have a direct link to the Directorate-General’s Security Operations Center (SOC). We found that the Directorate-General’s objective set for the end of 2017 of instantly detecting any cyber attacks directed against critical water structures had not been achieved by the autumn of 2018. This means that there is a risk of the Directorate-General failing to detect a cyber attack directed at a critical water structure, or of detecting such an attack too late.

We believe that the presence of up-to-date information is vitally important for a rapid and effective response to a crisis situation. Our audit revealed, however, that crucial documentation required in crisis situations is not always kept up to date and that no procedures have been put in place for keeping this documentation up to date. Nor has a scenario been constructed specifically for a crisis caused by a cyber attack, and very few ‘pen tests’ (penetration tests) are performed. In this type of test, an organisation deliberately arranges for an outsider to hack into or circumvent its security systems. In our opinion, pen tests should form an integral component of cyber security measures for critical water structures.

Vulnerability test: SOC detects an attack by hackers

Our audit included a vulnerability test that we carried out at one of the critical water structures in conjunction with the Directorate-General of Public Works and Water Management. Our team of ethical hackers managed to gain physical access to the structure in question and to hack into the control room. However, the SOC immediately detected the attackers when they connected a laptop computer on-site to the Directorate-General’s IT network.

We urge the Minister of Infrastructure and Water Management to identify the current level of cyber security threat and to decide whether additional staffing and resources are needed. This recommendation follows from the fact that, at the time of our audit, no information was available on the scale of the threat of a cyber attack directed at water structures. We also believe that the Directorate-General should see to it that the remaining security measures are indeed implemented. These include linking up all critical water structures to the SOC so as to enable direct monitoring.

Finally, the level of screening that SOC staff are required to undergo should be reviewed. At present, staff are only required to submit a certificate of good conduct, but it is unclear whether this represents a sufficient level of screening for staff with access to sensitive data on cyber threats.

In her response to our audit, the Minister of Infrastructure and Water Management writes that she endorses our conclusions and is planning to act on our recommendations.