Algemene Rekenkamer NCA

Strengthening the digital defences: the cyber security and critical water structures

2019 NL2019waterCybersecurity
SCALE
  • - All critical water structures managed by the Directorate-General for Public Works and Water Management
COMPLIANCE FOCUS
  • - Data Processing and Cyber Security Act 2017
  • - Network and IT Systems Security Act 2018
  • - Government Accounts Act 2016
  • - Security Programme
  • - regulations of the Minister of Infrastructure
  • - EU NIS Directive (2016/1148)
  • - Cyber Security Decree 2017
  • - Civil Service Data Security Regulations Decree 2007
PERFORMANCE ASPECT
  • - cooperation between Minister of Infrastructure and Directorate-General for Public Works and Water Management
  • - effectiveness of tools for detection of cyber threats and for protection of water structures
  • - development of different scenarios for cyber attacks
1. Design - Critical conditions - Completeness

Detection and response strategy not yet completed. (…) the objective set for the end of 2017 of instantly detecting any cyber attacks directed against critical water structures had not been achieved by the autumn of 2018. As a result, Security Operations Centre (SOC) does not have an up-to-date picture of the cyber security status of all critical water structures, which means that there is a risk of hackers being able to break into critical structures unnoticed. This also means that there is a risk of the Directorate-General failing to detect a cyber attack directed at a critical water structure, or of detecting such an attack too late.

No scenario had been constructed specifically for a crisis caused by a cyber attack. Moreover, no information was available at head office on the cascade effects caused by a cyber attack on the critical water structures. We also found that certain important documents relating to the response to a cyber attack (i.e. crisis maps and network reports) were not kept up to date. This means that there is a risk that the response to a cyber crisis may be neither sufficiently rapid nor sufficiently effective.

2. Domain knowledge - Organisation capabilities - Technology

The Security Operations Centre (SOC) claims to have a capacity problem – in terms of both staff and expertise . This lack of capacity causes delays, for example, in analysing reports of potential threats: the SOC claims that it may take several days before any action is taken in response to low-priority alerts. The SOC staff that they would like to further refine and professionalise their detection practices, for example by refining the way in which log data are checked so as to identify any suspicious patterns.

The operating processes at critical water structures use computer systems many of which date back to the 1980s and 1990s, a time when the term ‘cyber security’ was not in common use. Although these systems were originally designed to operate on a stand-alone basis, they have over the years been gradually linked up with bigger computer networks, for example in order to facilitate remote operation . However, this trend has made the systems more vulnerable to cyber threats. For the time being, it is unclear how great the threat is of a cyber attack against the sea defence and water management sector.

Code (gexf) to continue analysis with GephiTerminology graph
svg
The items above were selected and named by the e-Government Subgroup of the EUROSAI IT Working Group on the basis of publicly available report of the author Supreme Audit Institutions (SAI). In the same way, the Subgroup prepared the analytical assumptions and headings. All readers are encouraged to consult the original texts by the author SAIs (linked).