NAD Water Control partners with DEFION to ensure NIS2 compliance for OT

Challenge

NAD Gemalenbeheer, a collaboration between the municipalities of Delft, Leidschendam-Voorburg, and Pijnacker-Nootdorp, manages various pumping stations, peripheral equipment, and pressure pipelines. These are connected to complex systems that are controlled and monitored via the internet. With the introduction of the NIS2 directive – part of the new Cybersecurity Act – NAD Gemalenbeheer had to comply with strict security requirements, not only for its own systems but also for the suppliers it works with. In addition, under the IEC 62443 standard, which focuses on the security of industrial automation and control systems, it was essential to strengthen its focus on security.

Solution

Leveraging its expertise in OT security, Defion mapped out the risks of the systems in detail by investigating several attack scenarios. During this process, vulnerabilities were identified that, in the worst-case scenario, could have resulted in the loss of control over more than 1,500 pumping stations and peripheral equipment, potentially allowing malicious actors to shut down systems entirely. Defion also thoroughly tested the supplier chain, external connections, and cloud environments, after which the appropriate security measures were implemented.

In addition to these assessments and improvements, Defion also began monitoring NAD Gemalenbeheer’s OT security. Thanks to additional sensors in the network, the organization now has real-time insight into the security of its systems, reducing dependency on external parties. With this approach, NAD Gemalenbeheer is well prepared to meet NIS2 requirements while structurally strengthening the security of critical infrastructure.