It has recently been discovered by a De Telegraaf investigation that critical Dutch water management sites are facing extreme risks of being crippled by a cyber attack as a result of inadequate cyber security defences.
Water locks and pumping stations in the Netherlands are leaving their systems vulnerable by not implementing basic cyber security measures. There is a five-year gap between security software and system updates, and the computer systems that manage the water supply haven’t been upgraded since the mid-1980s.
A criminal hacker could easily take control over the nation’s water supply by exploiting these vulnerabilities.
Business association Evofenedex believes that maintaining critical infrastructures should be a top priority, in particular when considering the disruptions to transportation services that were caused by NotPetya earlier this year.
The guidelines of the NIS Directive
In May 2018, the EU Directive on Security of Network and Information Systems (NIS Directive) will be transposed into national law. This Directive requires operators of essential services (OESs) to enhance their cyber resilience by implementing risk management and appropriate security measures.
OESs will also be required to implement measures that minimise the impact of incidents and ensure business continuity.
By November 2018, EU member states will need to identify the OESs that will be subject to the NIS Directive. As organisations operating a nation’s water supply are included in the guidelines for identifying OESs, it’s probable that water locks and pumping stations will be expected to comply.
The Netherlands needs to step up its cyber security game
Under the requirements of the NIS Directive, Dutch water locks and pumping stations may be obligated to implement cyber resilience systems.
Although their involvement in the NIS Directive won’t be confirmed until November 2018, it’s imperative that water stations operating with significantly outdated systems begin preparing for compliance now.
Once the NIS Directive comes into play, water stations found to be non-compliant would be subject to substantial financial penalties, similar to those that have been proposed under the General Data Protection Regulation (GDPR).
Hassle-free cyber resilience solutions
The deadline for when the NIS Directive needs to be transposed into national law is less than six months away. Although this may feel far off, implementing a robust cyber resilience programme should be an immediate focus in order to ensure your organisation is complying and doesn’t have to face the penalties.
IT Governance offers a comprehensive range of cyber resilience solutions that will make compliance a hassle-free journey:
- Information security management, supported by the international information security standard, ISO 27001.
- Business continuity and cyber incident response management, supported by the international standard for business continuity, ISO 22301.