The Netherlands’ Court of Audit conducted a research based on whether important waterworks are enough-protected against cyber attacks. Although the Ministry of Infrastructure and Water Management has made many attempts to protect the country’s automated tunnels, bridges, locks and flood defences, the automation systems are decades old.
Specifically, the Court of Audit highlighted that
There are still gaps in the protection of the most important flood defences that must protect our country against flooding. A malicious person can take over the computer systems from flood defences and in doing so cause great damage
The Ministry of Infrastructure and Water Management (Rijkswaterstaat) has made many efforts to enhance the security of tunnels, bridges, locks and flood defenses against cyber attacks.
Some vital waterworks that are based on old automation systems are often linked to computer networks to make remote control possible. Therefore, they are vulnerable to cyber attacks.
The Court of Audit finds that the Minister of Infrastructure and Water Management still has to take steps to meet its own objectives for cyber security.
Moreover, the Court of Audit proposes that the Minister of Infrastructure and Water Management shall research the threat level and decide whether additional people and resources are needed for the protection of the system.
Additionally, the Court of Audit believes that Rijkswaterstaat should implement the remaining safety measures, including connecting all vital waterworks to the SOC (Security Operations Center) to enable direct monitoring.
Concluding, consideration should be given to whether SOC staff should be screened better. Now employees are only asked to submit a declaration of conduct (VOG) and the question is whether that is sufficient to work with sensitive data about Cyber threats.
