Digital dams against cybercriminals

18 August 2022

"Delta works" - these are huge structures that protect several Dutch provinces from floods and storm surges. The electronic control of the flood defence gates is now also digitally networked - and thus a potential gateway for hacker attacks. Experts from TÜV NORD have taken a close look at the cyber security of the floodgates.

Without functioning flood protection, Holland would be in deep trouble; after all, around a quarter of Germany’s neighbour lies below sea level. It’s for this reason that sophisticated lock concepts are deployed there alongside metres-high dikes to guarantee safety. When it comes to ensuring that these systems are secure, Dutch partners rely on the expertise of TÜV NORD. Employees from Germany and the Netherlands have jointly certified the cybersecurity of flood protection and wastewater management schemes run by the Dutch water authority Hoogheemraadschap van Rijnland, the oldest water authority in the Netherlands, which is responsible for keeping the water both at bay and clean from Haarlem to Gouda. The certification process was a pioneering one.

Specialists like Matthias Springer, an expert in functional safety and IT security at TÜV NORD, draw a distinction between safety and security. While safety means protecting people and the environment, security entails protecting machines from people. “Everything that used to be considered under the banner of safety is now digitally connected to meet customer requirements and to offer remote monitoring and other online services,” says Springer. These safety management systems are therefore accessible from the outside. “If we’re going to ensure safety, then security must also be considered.”

In the case of the Dutch locks, the connection is particularly obvious. Huge flood barrier gates protect the Netherlands from the waters of the North Sea. “A whole range of complex automation technology is involved which can be managed centrally by the control centres,” says Springer. These locks can thus be opened and closed remotely. The consequences of a hacker attack do not need spelling out: in the event of a flood, opening the gates would result in the inundation of large parts of Holland. This hazard scenario is the starting point for TÜV NORD’s work.

“With the customer, we look at the worst case scenario and then break it down to see which measures The Deltawerken for example – behind the deceptively plain name is a whole series of huge structures spread over many square kilometres, whose purpose is to protect a number of Dutch provinces from damage caused by storm surges. The Deltawerken have been electrically controlled since the beginning. Nowadays, of course, the control process is a connected one, which entails very stringent security requirements. need to be taken,” says Springer.

This can mean that employees and components must authorise and authenticate themselves in the system. Encryption, data security and digital certificates play just as prominent a role as organisational processes. “This ranges from the good old computer USB port, which is secured by a lock, and proper password protection, all the way through to building protection,” says Springer. All in all, the work always involves technical, organisational and physical security measures. “We check the documents and go through the requirements of the standard. So it’s a mixture of desk work and on-site audits and inspections,” explains Springer. The end result is a technical report and a certificate.

In this pioneering project, TÜV NORD has tested some sample control centres and their automation systems. The pilot certification is now set to be implemented as a model for a further 80 sites operated by the water authority. “This certification was something special,“ says Vincent Schijven, Innovation manager at TÜV Nederland and customer-facing project manager. “Because of the scale of the project, because it affects an entire country and because of its sheer criticality. If something goes wrong here, a lot of people will be immediately affected.” It’s therefore reassuring to know that Hoogheemraadschap van Rijnland meets the IEC 62443 international standard for cybersecurity in operating technology – the certified systems represent the current state of the art.