Digital dams against cybercriminals

18. August 2022

"Delta Works" – these are massive structures that protect several Dutch provinces from flooding and storm surges. The electronic control of the flood barriers is now also digitally networked – making it a potential entry point for hacker attacks. Experts from TÜV NORD have taken a close look at the cybersecurity of the locks.

Without effective flood protection, the Netherlands would be in trouble, as around a quarter of our neighboring country lies below sea level. That’s why, in addition to massive dikes, sophisticated lock systems ensure safety. Regional water authorities are responsible for the construction and operation of this vital infrastructure. The oldest of these is Hoogheemraadschap van Rijnland. TÜV NORD experts from Germany and the Netherlands have now jointly certified the cybersecurity of Hoogheemraadschap van Rijnland's flood protection and wastewater management systems – carrying out true pioneering work in the process.

Experts like Matthias Springer, specialist for functional safety and IT security at TÜV NORD, distinguish between safety and security. While safety refers to the protection of people and the environment, security means protecting machines from people. “Everything that used to be considered solely in terms of safety is now digitally connected to enable remote monitoring and other online services,” says Springer. This means that safety controls are accessible from the outside. “To ensure safety, you also have to address security.”

The case of the Dutch flood barriers clearly shows why this is so important. Massive floodgates protect the Netherlands from the waters of the North Sea. “There is a wide range of complex automation technology involved, which can be centrally controlled from monitoring centers,” Springer explains. This means the locks can be opened and closed remotely. The consequences of a hacker attack are easy to imagine: in the event of a flood, opening the gates could result in large parts of the country being inundated. This risk scenario is the starting point for the work of TÜV NORD’s experts.

“We examine the worst-case scenario together with our clients and then break down what measures need to be taken,” says Springer. The first step is always understanding: What is being assessed? What are the system boundaries, and what are the interfaces to the environment? “We aim to secure these critical points,” Springer explains.

This might mean that staff and system components must authorize and authenticate themselves. Encryption, data security, and digital certificates are just as important as organizational procedures. “It ranges from a simple USB port on a computer secured with a lock, to strong password protection, all the way to physical building security,” says Springer. Altogether, it’s about technical, organizational, and physical security measures. “We review documents and simulate the requirements of the standard. So it’s a mix of desk work and on-site audits and inspections,” he explains. In the end, there is a technical report and a certificate.

In this pioneering project, TÜV NORD experts have conducted exemplary assessments of control centers and automation systems. The pilot certification is now intended to serve as a model for another 80 sites managed by the water authority. “This certification was something special,” says project manager Vincent Schijven, Innovation Manager at TÜV Nederland. “Because of its scale—it affects an entire country—and due to its high criticality. If something goes wrong here, a large number of people are immediately affected.” It's reassuring to know, then, that Hoogheemraadschap van Rijnland complies with the international cybersecurity standard for operational technology, IEC 62443—meaning the certified systems represent the current state of the art.