**1. Introduction**

Goal 16 of the United Nations' (UN) 17 sustainable development goals is intended to "promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels" [1]. But peace, justice and strong institutions [1] require strengthening coordination among various international and domestic stakeholders. Critical infrastructure protection also requires the strengthening of coordination among international and domestic stakeholders. The United States of America (USA) defines critical infrastructure according to the 2013 Presidential Policy Directive No. 21, as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." [2] (p. 37). The study has adopted this as the baseline definition of a critical infrastructure.

An example of a water-specific critical infrastructure is the Latvian water supply and sewerage enterprises association [3] which oversees 27 member organisations [4]. In Austria, there are approximately 5500 water utilities, 1900 community-based utilities, 165 water supply associations and 3400 water supply cooperatives [5]. Having a regularly updated inventory list of such critical infrastructures is a good practice [6]. However, an

**Citation:** Malatji, M.; Marnewick, A.L.; von Solms, S. Cybersecurity Policy and the Legislative Context of the Water and Wastewater Sector in South Africa. *Sustainability* **2021**, *13*, 291. https://doi.org/10.3390/ su13010291

Received: 11 November 2020 Accepted: 23 December 2020 Published: 30 December 2020

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

effective cyberlegislation is not only vital for identifying and classifying but maintaining a country's infrastructure and protecting its citizens [6,7].

In many countries, the water and wastewater supply systems are classified as critical infrastructure as they are vital to national public health and economic security. Thus, prolonged interruptions of such critical infrastructures would naturally result in deteriorating public health and economic losses [5]. It is therefore crucial to understand the cybersecurity policy trends and discussions [7] to ensure proper coordination of cybersecurity activities in a country. This paper explores South Africa's water and wastewater sector cybersecurity responsibilities within the national and international policy context. This highlights how well-defined policy regulations in any country could ensure coordination of stakeholder roles and responsibilities for carrying out water-specific critical infrastructure cybersecurity activities. Thus, failure to define and implement effective cyberlegislation and policies could have devastating impact on the protection of water and wastewater critical infrastructure.

In South Africa, the governmen<sup>t</sup> gazetted the National Cybersecurity Policy Framework (NCPF) in 2015, which aimed at addressing cyber terrorism, cybercriminal activities, cyber vandalism, and cyber sabotage [8,9]. As the overarching national cybersecurity strategy of South Africa [9], the NCPF provides a governance process and guidelines to respond to cybersecurity threats and attacks against the country [8,9]. In the cybersecurity domain, policies outline the objectives and limitations of a strategy [10] to provide for measures to be put in place for the protection, safeguarding, and resilience of assets [11]. Thus, adopting the most recent cybersecurity technologies is only effective when deployed within the guidelines of a clearly defined and enforceable policy [10]. Since the adoption of the NCPF, South Africa has been actively conducting cybersecurity assessments, audits, and readiness exercises in different public sector entities as part of the implementation of the cybersecurity strategy. Water and wastewater is one such sector that needs to conduct its own cybersecurity assessments, audits, and readiness exercises. Failure to conduct these periodically could increase the risk and intensify severity of a cyberattack to critical water infrastructure [12].

For example, an attacker may use the cyber kill chain—reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and action on their objectives—to gain entry into the victim's environment through the corporate information technology (IT) domain and then move laterally to the operational technology (OT) domain to launch attacks on critical infrastructure [13]. OT is a collective term for industrial control systems (ICSs), supervisory control and data acquisition (SCADA) systems, and other industrial monitoring and control processes [14,15]. ICSs and SCADA systems are essentially the backbone of critical infrastructures worldwide, including water supply systems, electricity grids, and transportation and telecommunication networks [16,17]. A well-documented cyberattack of a water supply system which took three months to detect occurred at the Maroochy water treatment plant in Australia [18]. This cyberattack took place in 2000, when SCADA systems began experiencing loss of communication, false alarms, and loss of pump controllability due to altered configurations [12,13,19]. This resulted in nearly 1 million litres of raw sewage spilling into rivers, parks, and residential areas, causing damage to the environment and costing society a lot of money [14,16,20,21].

The cyberattack example above demonstrates that cybersecurity can significantly affect sustainability. All three pillars of sustainability—social, environmental or ecological, and economic [19]—were impacted. The social pillar was impacted as a result of the raw sewage spillage in residential areas, including the grounds of a hotel [20]. The death of marine life and unbearable stench, as reported by the Australian Environmental Protection Agency [16], shows the extent to which the environmental pillar was affected. Lastly, all these damages cost the Maroochy Shire Council and the state of Queensland money to clean up and rehabilitate the environment. Thus, the economic pillar of sustainability was also greatly impacted upon. It is also clear from this incident that the sustainability pillars can also be viewed as three distinct and ye<sup>t</sup> interacting systems [21]. That is, if one

system/pillar is compromised, the other two will be equivalently affected in an attempt to return to the natural state of equilibrium [22,23].

In light of this, the paper aims to contextualise the water and wastewater sector's cybersecurity responsibilities within the national cybersecurity legislative and policy environment of South Africa. This will determine if and whether there is a need to propose any new legislation and/or policies, or amend existing ones, to address the cybersecurity requirements of the sector. A systems thinking method is adopted to achieve the study's aim by examining the interrelationships between the water and wastewater sector and national cybersecurity legislative and policy environments as one system rather than independent and unrelated elements.

This introductory section provides the background and context of the study problem. The rest of the paper is structured as follows: Section 2 outlines the international, national (South Africa), and sector (South African water and wastewater sector) cybersecurity policy and legislative environments; Section 3 describes the systems thinking research methodology adopted in the paper to contextualise the water and wastewater sector's cybersecurity responsibilities within the South African cybersecurity legislative and policy environment; Section 4 presents the results; and Section 5 discusses the findings. The policy recommendations of the study are outlined in Section 6 and the conclusion presented in Section 7.

#### **2. Cybersecurity Policy and Legislative Environment**

A cybersecurity policy helps to chart a course of action for ensuring security of cyberspace by defining collective and individual regulatory, legal, technical, behavioural, organisational, and international responsibilities in pursuit of cybersecurity [24,25]. Cybersecurity is therefore a shared responsibility for national governments, economic sectors, and organisations and/or individual digital device end-users [26]. The shared cyber defence responsibilities are usually coordinated by nation states to develop capabilities to achieve cyber resilience, reduce cybercrime, and secure critical national infrastructure while developing industrial and technological resources for cybersecurity [27]. In this section, the researchers reviewed the international, national, and sector (water and wastewater) cybersecurity literature to identify the stakeholders involved and existing policy and legal environment.
