Article   November 10 2023

The Water Supply sector - what’s new with NIS2?

With a wider coverage of sectors, stricter requirements for risk management and incident reporting and more hard-hitting penalties for non-compliance, the new NIS2 directive is the most comprehensive European cybersecurity directive yet. The Water Supply sector is considered an essential sector under the coming NIS2 directive because a disruption to this service could have severe real-life consequences in society.

Security
Information security
NIS2
water fountain

Image: Piqsels.com (royalty free)

The water supply sector is a vital industry responsibile for providing communites with clean and safe water while also managing and treating wastewater. The sector is facing a wide range of cybersecurity challenges. Hidden vulnerabilities due to the simple fact that many water treatment and distribution systems were designed long before cybersecurity was a concern. Due to its nature, most water treatment and distribution facilities are located in remote or unsecure areas, making them vulnerable to physical attacks that can disrupt systems.

Today, many water and wastewater utilities lack of resources to invest in talented cybersecurity personnel or maintain an effective security posture. Like all industries there’s always a risk of insider threats as well as third-party risks, since many providers in this sector often use third-party vendors, creating potential entry points for attackers. Control systems manage critical technical processes in the water treatment and distribution process. Often connected to the internet, these systems are susceptible to attacks. 

Sector specific challenges

The water supply sector will likely be severely affected by the NIS2 Directive. Water utilities may need to invest heavily in cybersecurity measures to ensure that they remain resilient to cyber threats, with an increase in their budget allocation for cybersecurity measures. This includes upgrading technology, procuring new security tools, and providing employee training programs. This could in turn, stimulate the demand for cybersecurity services, promote competition, innovation, and water utilities may need to adjust their procurement practices to comply with the NIS2 cybersecurity requirements. Across sectors, the NIS2 directive emphasizes coordination between different sectors and water utilities must work with other sectors to develop and implement coherent cybersecurity strategies.

Awareness training – one of 10 key cyberhygiene measures 

The NIS2 directive requires that the water supply sector and other essential and important entities implement 10 baseline security measures to address specific forms of likely cyberthreats.  

- Risk assessments and security policies for information systems. 

- Policies and procedures for evaluating the effectiveness of security measures. 

- Policies and procedures for the use of cryptography.  

- A plan for handling security incidents. 

- Security around the procurement of systems and the development and operation of systems.  

- Security procedures for employees with access to sensitive or important data. 

- A plan for managing business operations during and after a security incident. 

- The use of multi-factor authentication. 

- Security around supply chains and the relationship between the company and direct supplier.  

- Cybersecurity training and a practice for basic computer hygiene. 

Cybersecurity training is not only ‘on the list’. It’s a well-known fact that awareness training is an essential part in creating the organisational security culture needed for organisations to be compliant with many of the other security measures mandated by NIS2. Without awareness training all year round, many of the operational procedures will eventually fail – due to human errors.  

Our new updated 2024 editions of Information Security Awareness training is targeting all employees, managers, executives and boards and is one part of being NIS2 compliant. 

Or why not kickstart with our NIS2 Introdution course? This will give your management a better understanding of what your organisation need to be NIS2 compliant. 

Article   November 10 2023