Inspectorate starts investigation into Waternet after concealment of negative pen test
The Human Environment and Transport Inspectorate is starting an investigation into the safety of the North Holland water company Waternet. Earlier this year, that concealed the fact that it was aware of security risks, also against the ILT itself.
Waternet did not inform the Human Environment and Transport Inspectorate of the vulnerability, writes Minister of Infrastructure and Water Management Cora van Nieuwenhuizen in a letter to the House of Representatives. The ILT is responsible for the safety of drinking water companies such as Waternet. The minister responds to parliamentary questions in response to news from Follow The Money in September. Then it turned out that Waternet’s digital security was not in order. As a result, the ILT met with Waternet. The water company then said it would be old problems that had now been solved.
Earlier this month, however, Follow The Money revealed that a penetration test was conducted in January 2020 with poor results. Waternet had not informed the regulator of this. The National Cyber Security Center was also not aware of the results. The 50Plus party asked parliamentary questions. Van Nieuwenhuizen responds that the ILT is starting an investigation into Waternet.
The research focuses specifically on compliance with the Network and Information Systems Security Act, or Wbni. It contains the rules for central government institutions, but also ‘providers of vital infrastructure’. That includes Waternet. The ILT is also looking at ‘the governance of Waternet’. According to Van Nieuwenhuizen, there is no reason to assume that the supply of drinking water is at risk. The minister also does not yet want to say which sanctions may follow, for example whether the minister or the ILT itself should intervene in the management of Waternet. Before that, she wants to wait for the investigation.
According to the minister, it is not mandatory for companies to publish a confidential pen test or to forward it to the regulator or the NCSC themselves. The minister does acknowledge that it would have been better if that had happened. “However, given the current circumstances, it would have been appropriate if the ILT had been informed in time by Waternet,” Van Nieuwenhuizen writes in the letter.