Strengthening the digital defences: the cyber security of critical water structures
An audit into how the Minister of Infrastructure and Water Management is preparing to deal with cyber attacks against critical water structures managed by the Directorate-General for Public Works and Water Management. What tools can the Directorate-General use in order to detect cyber threats and attacks and protect water structures against cyber threats? Are the tools for detecting cyber threats and attacks effective? And do they offer sufficient protection? What scenarios have been developed for cyber attacks? What steps can the Directorate-General take to prevent other critical sectors from being impacted by a cyber attack (i.e. to deal with the cascade effects)? And how does the Directorate-General respond when vulnerabilities and incidents are detected?
Cyber security of critical water structures not watertight
There is scope for further improving the way in which tunnels, bridges, locks and dams are protected from cyber threats. Although the Directorate-General for Public Works and Water Management has made a great deal of progress in the past few years in identifying the action needed in order to improve the security of water structures, not all security measures have been implemented. Crisis documentation is outdated and no proper pen tests are performed. The audit revealed that not all critical water structures are linked directly to the Directorate-General’s Security Operations Center (SOC). This means that there is a risk of the Directorate-General failing to detect a cyber attack directed at a critical water structure, or of detecting such an attack too late. The Minister of Infrastructure and Water Management needs to take further action in order to meet the Ministry’s own cyber security targets.
What are our recommendations?
We urge the Minister of Infrastructure and Water Management to identify the current level of cyber security threat and to decide whether additional staffing and resources are needed. We believe that the presence of up-to-date information is vitally important for a rapid and effective response to a crisis situation. Pen tests should be made an integral component of cyber security measures for critical water structures. In addition, the level of screening that SOC staff are required to undergo should be reviewed.
Why did we audit cyber security at critical water structures?
Operating processes in critical sectors are highly computerised, which means that they are vulnerable to cyber threats. In its latest annual report, the General Intelligence and Security Service (AIVD) reports an increase in activities that are designed to facilitate the digital sabotage of critical infrastructure in Europe. The Dutch National Cyber Security Center (NCSC) reports a higher level of threat in the Netherlands from professional criminals and foreign powers (i.e. state actors); attacks are growing more sophisticated and complex. The NCSC regards sabotage and disruption caused by state actors as posing the biggest threat to national security.
What methods did we use in our audit of cyber security at critical water structures?
In order to answer our audit questions, during the period between May and October 2018, we studied internal documents produced by the Ministry of Infrastructure and Water Management and the Directorate-General for Public Works and Water Management, and we interviewed relevant members of staff. We examined the nature of measures and sought to ascertain whether they had been adopted. In addition, in order to answer our second audit question and acting in conjunction with the Directorate-General, we performed on-site examinations of the effectiveness of the measures taken in relation to critical water structures. At one of these structures, ethical hackers performed a test to assess the practical effectiveness of the cyber security measures.
The Minister of Infrastructure and Water Management responded to our audit report on 5 March 2019. The publication date of our audit report is Thursday 28 March 2019.