Dutch waterworks not well protected against cyber attacks: Court of Audit

The Netherlands' tunnels, bridges, locks and flood defenses are not sufficiently protected against cyber attacks, the Court of Audit concluded in a report published on Thursday. The Court advises the Ministry of Infrastructure and Water Management to make cyber security on these essential parts of Dutch infrastructure a priority.

"The digital revolution that is taking place under our eyes bring unprecedented new opportunities. At the same time, technology makes us dependent and cyber threats arise that did not exist until recently. Espionage, sabotage, terrorism and crime have moved to the digital world and also threaten the automation of flood defenses. The works that protect us against water must now be protected against digital threats", the Court of Audit said.

The Dutch waterworks function on automation systems that mostly date from the 80s and 90s, before the time that cybersecurity was a priority for anyone. Over the years these have been linked to computer networks, to make it possible to control them remotely. Security on these systems was not sufficiently developed in the intervening years to protect them properly. As a result, they are increasingly vulnerable to cyber attacks and crime, the Court said.

According to the Court of Audit, public works department Rijkswaterstaat determined itself what cyber security measures need to be taken with the waterworks. While around 60 percent of these measures were implemented by the beginning of 2018, the implementation of the rest is lagging behind. "Rijkswaterstaat is not forcing the implementation of the outstanding measures at its own regional organizational units. Cyber security is also not yet a fully-fledged part of regular inspections."

A number of the waterworks managed by Rijkswaterstaat have been designated as 'vital', which means that an attack on any of these can have major consequences for the Netherlands. The Court of Audit found that not all these vital waterworks have been connected to Rijkswaterstaat's Security Operations Center (SOC). "As a result, there is a risk that Rijkswaterstaat will not detect a cyber attack or detect it too late."

The Court also noted that Rijkswaterstaat does not have all its information up-to-date that may be essential in a crisis, and has no process in place to keep this information current. There is no specific scenario in place of what to do in a crisis situation and so-called 'pen testing' is rarely done, the Court said. Pen testing is when hackers are hired to try and break through security systems in order to identify vulnerabilities. "Pen testing should be an integral part of cyber security measures in vital waterworks."

The Court of Audit advises Minister Cora van Nieuwenhuizen of Infrastructure and Water Management to investigate the current threat level against the waterworks and thereby decide whether additional people and resources are needed. Rijkswaterstaat should also implement its remaining security measures as soon as possible and make sure that all vital waterworks are connected to the SOC. "Furthermore, consideration should be given to whether SOC staff should be screened better. Now employees are only asked to submit a certificate of good conduct and the question is whether that is sufficient to work with sensitive data about cyber attacks", the Court of Audit said.

In response to the report, Minister Van Nieuwenhuizen stressed that Rijkswaterstaat is on the right path, but the end goal has not yet been achieved. She will work with Rijkswaterstaat to look at how security can be improved quickly, she said in a letter.