These are scenarios that did not exist at the time when the weirs and water treatment plants were built, but which have become reality now that IT and OT are increasingly merging together.
The Rivierenland Water Authority has asked TwynstraGudde and ICT Group to advise on how to overcome such vulnerabilities in mission-critical systems.
"In the past, operational technology (OT) systems were always stand-alone systems. However, we have embedded them in a chain and made them remotely controllable. This way, in situations such as high water, we can control the assets integrally, from a single location."
René van Looij, head of the Information and Digitalisation department at the Rivierenland Water Authority.
Major challenges
Integrated remote control and monitoring are important because, like all other water authorities, Rivierenland is facing major challenges. On one hand, attention is paid to climate adaptation. Water authorities want to prevent dry summers from having major consequences for farmers, citizens and businesses. On the other hand, they face the challenge of keeping our feet dry if too much water is supplied by the Rhine, Meuse and/or extreme rainfall. In addition, water authorities have to deal with declining water quality due to over-fertilization, medicine residues and soil contamination, which places increasingly higher demands on the water treatment plants. The government also expects water authorities themselves to operate sustainably and circularly.
As if this were not complex enough, there are also the current shortages in the labour market, which certainly affect the water authorities. Many technical specialists are retiring, which means that a lot of knowledge is lost and good follow-up is hardly available. All the more reason to use technology to support and ease the work of employees.
Doing more work with fewer people
The Rivierenland water authority does this with a central control room in Tiel, where employees can monitor the entire area , which runs from Papendrecht and Alblasserdam to the German border. They can remotely monitor water levels, operate pumping stations and weirs, quickly identify faults and so on. This allows them to do more work with fewer people.
Moreover, it doesn't stop there. Like every water authority, Rivierenland also has the desire to expand technological options in the future. Think, for example, of dike monitoring with drones, optimising the wastewater treatment plant with AI and machine learning, or building a digital twin that provides insight into how all systems in a water board are interrelated.
"There are a lot of possibilities. But before the Rivierenland Water authority starts mining it, they first wanted to get advice on how they can integrally secure their systems and processes against vulnerabilities and how they can increase reliability",
says Léon Huijsdens, Principal consultant at ICT Group.
People, processes and technology
Together with TwynstraGudde, he advised the water authority on the integration of IT and OT. Because bringing these two worlds together makes the chain vulnerable, Léon knows. What if the screens go black due to a malfunction? "We are no longer equipped for our people to work on location. Of course, they sometimes have to be on-site, but the lion's share of the work is done from the central control room," says René.
That is why the water authority asked TwynstraGudde for advice on how to make the OT/IT chain robust and secure. This agency takes a broad and integral view. It uses a model that consists of three axes: people, processes and technology. TwynstraGudde hired ICT Group for the technical side of that advice. Sam-Peter Bakker of TwynstraGudde says: "The three axes are inextricably linked and all three are equally important. You have to develop them in balance with each other." Because no matter how great a technical solution you can develop, if the processes are not adjusted and/or people don't start working with it, the technology won't bear fruit.
Linking IT to OT
In this project, ICT Group focused on the vulnerabilities that arise when new IT solutions are linked to existing OT solutions. Because OT is a completely different world, with very different characteristics than IT. The fact that the two come together offers various opportunities, but it also creates new threats.
Léon: "OT systems are designed for eternity. They never break.. But to control them remotely, you use IT." IT is characterized by continuous innovation, which you can usually deploy quickly. "But you can't really use such a continuous stream of changes in an operational process environment, with 24/7 service. There is a clear tension here," says Léon.
Cyber security as a new area of focus
This tension also occurs in the area of security. After all, OT systems were never designed to be connected to the internet. They always ran standalone. It was enough to secure physical cabinets from intruders. "Now that there will be a link between IT and OT, you will have to look at OT security through IT glasses," says Léon.
Talking to each other
TwynstraGudde and ICT Group carried out an extensive study for Rivierenland. This included studying the processes and the available technical documentation, as well as interviews with stakeholders from both the OT and IT fields. In order to bridge the differences between the two worlds, risk sessions have also been organised. "It brought together all those involved: people from OT, IT and managers. Under the leadership of TwynstraGudde, they discussed all aspects of IT and OT. That was incredibly valuable. They learned to look at the situation through each other's glasses and gained a much better understanding of each other's points of view."
In those sessions, quite a few cultural differences were also bridged. Sam-Peter gives an example. "For example, IT specialists prefer to carry out updates and patches at night, when as few people as possible are affected by the work. While OT work preferably takes place during the day when there is as much support as possible available. By discussing this together, they were able to jointly devise new work processes that meet the needs of both groups."
The result of the project is an advisory report that has been shared with the board of the Rivierenland water authority, as well as a list of findings that need to be acted upon to minimize the risk of a malfunction.
IT-OT integration is vulnerable everywhere
Of course, Rivierenland is not the only organization that is struggling with new vulnerabilities that arise when OT is linked to IT. It applies to all organizations that control physical assets, regardless of whether those assets are wind farms, train cars or machines in a factory. TwynstraGudde and ICT Group can identify the vulnerabilities and draw up a multi-year plan for securing the chain and making it robust on all fronts: people, process and technology.
