CSIR 3.0 was recently released. This Cybersecurity Implementation Guideline for Objects Rijkswaterstaat has been generalized so that parties such as contracting companies and water boards can also get to work with it. The new guideline has been drawn up in close collaboration with the professional field.
The original guideline dates from 2013. It is a translation of the existing BIO (Baseline Government Information Security) standard, which is based on ISO 27001 and ISO 27002, and the industry standard IEC 62443 (International Electrotechnical Commission) for the security of industrial control systems. Industrial automation is interwoven between it and industrial control systems, which makes it necessary to combine relevant parts from BIO and IEC 62443 for an appropriate group of controls and management measures for the security of that industrial automation.
The CSIR was developed in collaboration with the Techniek Nederland industry association. Within the Cyber Security Working Group of Rijkswaterstaat, chaired by Turabi Yildirim, senior cybersecurity advisor at Rijkswaterstaat. The working group meets at regular intervals to discuss security issues from practice at management level. Yildirum states in a newsletter from Rijkswaterstaat that we develop cybersecurity solutions together and test them in practice. ‘Where necessary, we improve them in parts by switching them to the tactical level and then to the strategic level if necessary.’
He thinks this chain approach is important. ‘First of all, because of this, there is cyber awareness and prioritization at the different layers of all organizations involved. You can operationalize things together. Client and contractor are on an equal footing, understand each other and can communicate with each other. The result is cost savings and a high degree of effectiveness.’
By taking up the subject itself, Rijkswaterstaat does not make itself dependent on standards-setting bodies. ‘We can shape the developments ourselves and therefore work more proactively than reactively.’
“Most RWS terms and references to security products and services used by the semi-government body have been deleted”
Rijkswaterstaat manages and maintains vital infrastructure: flood defences, bridges, locks, tunnels, roads. ‘In the case of abuse or failure,’ says Yildirim, ‘the consequences for our security are dire; social disruption, environmental damage, financial damage or even fatalities. But we also want it to be workable. A good guideline that no external party can work with is of no use to us.’
For that reason, the Working Group has once again gone through CSIR 2.0 with the dust comb. The latest version has remained essentially the same, but has been generalised. Most RWS terms and references to security products and services used by the semi-government body have been deleted. As a result, the guideline can also be used by, for example, water boards and contractors. CSIR 3.0 is now part of the Purchasing Requirements Cybersecurity Wizard, which can be downloaded from the BIO government web page. The wizard helps to select sets of requirements that match the products/services that a government department is procuring.
Regional water authorities
Gabor Verputten is happy with the new guideline. He is a program member for information security and privacy, as well as chief information security officer of the Waterschapshuis, the management and implementation organization for the 21 water authorities in the field of ICT. ‘CSIR 2.0 contained specific components for Rijkswaterstaat. We have a different management method and we have adapted the CSIR to it. As a result, it is now a fantastic product for anyone who works with industrial automation.’
Because all government and semi-government organizations work with one guideline, the need for good security is more clearly understood, says Verputten. ‘From asset owners to product specialists and system integrators; everyone is hooked. It is an awareness campaign. You want it, don’t you? business as usual is going to be.’ He explains that the water boards consist of doers. ‘We are trying to help the water boards with a tool that supports measures to be applied per project. If someone has to sift through the entire CSIR, he’ll drop out.’
He calls it an advantage that the guideline has already been tested in the market. ‘As a result, market parties understand exactly what we are asking, because they are used to it through use at Rijkswaterstaat. That saves time and energy.’ These market parties can serve the water boards, municipalities and provinces in the same way and at no extra cost.
“The main contractors from the sector association Techniek Nederland have the necessary experience in applying the CSIR”
There is no certification program associated with the CSIR 3.0. However, the quality of the implementation is monitored on the basis of the Cybersecurity Security Plan. This is a mandatory part of every order to the market. The Cybersecurity Security Plan must be evaluated and updated annually on the basis of the PDCA cycle (Plan-Do-Check-Act). Certifications are too generic, in Yildirum’s opinion, and working with Cybersecurity Security Plans is more pragmatic, fits better with one’s own organizational and process structures and offers more options for a risk-based approach. ‘After all, the objects in question are located in the work field and not in the controlled environment of the client, which is often the scope for certification.’
For contractors, a workshop/training has been developed by an external party, in which contractors learn how to apply the CSIR. The main contractors from the sector association Techniek Nederland have the necessary experience in applying the CSIR. They have often also set up cybersecurity teams at corporate level to supervise the implementation projects. Within Rijkswaterstaat we have our own training of several days to train the colleagues involved in being able to apply the CSIR from the client’s role. This training is provided by Rijkswaterstaat’s Corporate Learning Center.
Anyone who wants to work for Rijkswaterstaat or a water board will have to submit a Cybersecurity Security Plan upon completion. This must be in accordance with CSIR 3.0.