Uniting Forces for Cybersecurity in the Water Sector
The persistent digital threat in the Netherlands — and beyond — continues to soar and evolve. Nation-states employ cyberattacks to further their geopolitical aims, and cybercrime, serving as a lucrative business model, inflicts harm on individuals and entities.
And these threats affect all critical infrastructure globally. The irony is that modernizing such systems (necessary for their functioning and future-proofing) also increases such threats. And in the Netherlands specifically, this means that water structures — everything from ports, bridges, tunnels, locks, to dams — are proving not watertight.
A Myriad of Challenges for Water
The situation is particularly concerning since water is an essential part of a country’s infrastructure, and ensuring the security of operations is not just a matter of integrity but a fundamental necessity for public health and safety. Ensuring uninterrupted delivery of drinking water, proper water management, and wastewater treatment is imperative. And halting operations could lead to facility evacuations and impact industries dependent on water. What is more is that cyber attacks on water infrastructure can have devastating consequences, from contamination to flooding, posing a severe threat to public health and safety.
Drinking water companies, therefore, encounter challenges related to the physical security of offsite Operational Technology (OT) systems in publicly accessible areas. Maintaining automated systems that can also be operated manually poses difficulties in incident response, recovery plans, and business continuity. Therefore, ensuring the security and futureproofing of OT systems is critical for smooth operations.
The Nexus Between Automation and Cyber Risk
Marcel Jutte, Director of Business Sector Cyber Security at Kiwa (and Founder of Hudson Cybertec), explains the critical junction where increased automation in the water industry intersects with heightened cyber vulnerabilities: “The water sector is undergoing a technological metamorphosis. As the sector invests significantly in automation to enhance production, distribution, and treatment efficiency, the associated connectivity and adoption of new technologies introduce cyber risks. While innovative, the advent of IoT (Internet of Things) and OT solutions creates an urgency to strengthen cybersecurity."
The gravity of the situation, as Dragan Jovanov, Global Head of Business Sectors (and Water) at Kiwa, acknowledges, stems from the responsibility of governments to provide safe drinking water for all: "The government's responsibility to ensure access to water remains paramount, especially during crises. Hence, the need for robust cybersecurity measures to safeguard water production, distribution, and treatment becomes an inherent need."
Coming Together for Cyber Resilience
It is evident that organizations must become more digitally sound due to increasing cyber threats, making compliance with legislation and certification more critical than ever.
A new partnership between Kiwa and Hudson Cybertec marks a pivotal collaboration aimed at fortifying the cybersecurity landscape within the water sector. Together, we are teaming up to improve cybersecurity for OT. We collaborate to guide organizations from the initial baseline measurement, preparing them to be ‘certification ready,’ and then later, to the actual certification of their OT systems, the latter being conducted by Kiwa.
Hudson Cybertec, with almost a decade of experience in the water sector, offers guidance and conducts cybersecurity audits for drinking water companies, evaluating compliance against established standards. They aid policy development and conduct pre-audits, site visits, and final audits for Dutch drinking water companies. Their close collaboration with RWS (Department of Waterways and Public Works in the Netherlands) and waterboards involves updating the CSIR (CyberSecurity Implementation Guideline) to bolster cybersecurity measures.
Hudson Cybertec's role in preparing entities for certification uniquely complements Kiwa's role in certifying compliance with industry standards and legislation. Moreover, the partnership expands Kiwa's service portfolio into cybersecurity, extending our services beyond traditional wastewater and drinking water management. We aim to secure critical water infrastructure by incorporating cybersecurity as an integral aspect.
Multifaced Cybersecurity Needs Across the Value Chain
It is important to note that the interconnectivity of the water value chain from producers to distributors, municipalities, and even individual households underscores the various challenges of securing the sector. In fact, we can differentiate between the three primary segments — drinking water, water boards regulating water levels, and wastewater treatment.
"We know that securing only one aspect of the chain is insufficient,” emphasizes Dragan. “Therefore, we collaborate to cover cybersecurity across the entirety of the water sector, including suppliers, to ensure a resilient and secure ecosystem."
"Each segment necessitates tailored attention," adds Marcel. "The concerns regarding the quality and safety of drinking water versus the management of water levels or wastewater treatment are distinct yet equally critical."
Guidance to Reach IEC 62443 Certification
The *Vewin measures, based on ISO 27001 Annex A requirements and IEC 62443, serve as the standard cybersecurity measures for drinking water companies. Water boards follow the CSIR guidelines for people, process, and technology measures. IEC 62443 specifically supports drinking water companies by specifying technical, organizational, and supply chain cybersecurity requirements. It also influences the CSIR guideline used by water boards and aids vendors in delivering cyber-secure products for the OT environment. Therefore, Kiwa's IEC 62443 certification allows organizations to implement certified OT equipment, ensuring compliance with legislation such as NIS2.
Protecting Water Starts With Education and Training
To deepen knowledge on the topic, we also offer training programs together with Hudson Cybertec. Our in-company training programs cover the IEC 62443 or CSIR standards, offering organizations case-specific approaches within the water sector. These programs enhance organizational cybersecurity knowledge, fostering risk-based measures and structured cybersecurity management.
International certification of participants in these programs benefits cybersecurity since certification indicates expertise in using cybersecurity standards and managing cybersecurity systems — in turn, aiding both organizations and their management.
Emphasizing Collaboration and Preparedness
The Kiwa and Hudson Cybertec partnership takes a proactive stance to protect vital water infrastructure from cyber threats. It helps water sector organizations move from initial assessments to certifications, bolstering their digital resilience amid advancing technology.
"Securing the water sector is not just a necessity; it's an obligation to the public,” concludes Dragan. “Protecting the consumer and ensuring the reliability and safety of water systems is intrinsic to Kiwa's values and purpose — we are here to protect the consumer, making quality visible in the value chain. And the collaboration between Kiwa and Hudson Cybertec — industry leaders — embodies our combined dedication to strengthening the sector against cyber threats.”
Marcel furthers: "Our joint goal (as well as my personal goal) is to make the Dutch water sector more cyber-resilient. It's critical infrastructure, and that's very important for a healthy and safe environment for all.”
*Vewin is the national association of water companies in the Netherlands. The companies, with municipal and provincial authorities as their shareholders, deliver high-quality drinking water throughout the Netherlands 24/7.