**4. Results**

In this study, South Africa's water and wastewater sector and the national cybersecurity legislative and policy environment were analysed. The analysis was conducted to contextualise the water and wastewater sector's cybersecurity responsibilities within the national cybersecurity legislative and policy environment and determine whether there is a need to propose any new legislation and/or policies, or amend existing ones, to address cybersecurity requirements of the sector. The findings are summarised in Table 5.

In Table 5, the "international cybersecurity system" means the international laws and stakeholders on fighting cybercrime, and the "national cybersecurity system" means the South African cybersecurity legislative and policy environment inclusive of key stakeholders. Similarly, the "water and wastewater sector as a system" means the water and wastewater legislative and policy environment inclusive of the sector's key stakeholders, and the "water and wastewater sector as a stakeholder" means the sector as one of the

**Cybersecurity Purpose (System Function) Cybersecurity Stakeholders (System Elements/Actors) Cybersecurity Legislation and Policies (System Interconnections)** International cybersecurity system Defined Partially defined Partially defined National cybersecurity system Defined Defined Defined Water and wastewater sector as a system Not defined Not defined Not defined Water and wastewater sector as a stakeholder Defined Defined Defined

key stakeholders within the national cybersecurity system. The findings in Table 5 are discussed in the next four sections.

> **Table 5.** Summary of study findings.

#### *4.1. Identify the National Cybersecurity System Function, Actors and Interconnections*

The purpose of this analysis exercise was to identify key national cybersecurity stakeholders (actors) responsible for the implementation of the six key objectives of the national cybersecurity (function), as well as to identify legislation and policies (interconnections) governing the interrelationships among stakeholders. The function of the national cybersecurity strategy has already been defined in Section 2.2 as to "centralise coordination of cybersecurity activities, by facilitating the establishment of relevant structures, policy frameworks and strategies in support of cybersecurity in order to combat cybercrime, address national security imperatives and to enhance the information society and knowledge-based economy" [65] (p. 15). On the one hand, the national cybersecurity strategy function is implemented by domestic stakeholders such as the SSA, SAPS, and DCDT supported by foreign stakeholders such as the African Union, Interpol, and FIRST. The national cybersecurity stakeholders are the defined actors or elements of the national cybersecurity system.

On the other hand, six key pieces of legislation—such as the ECT Act, Cybercrimes Bill, and POPI Act—and one policy, the NCPF, were found to determine the interrelationships among the stakeholders in the national cybersecurity system. These are the interconnections of the national cybersecurity legislative and policy environment. As argued by Sutherland [38] and Detecon [37], the current coordination and managemen<sup>t</sup> of the national cybersecurity programme is complex. To demonstrate how complex the current implementation of the national cybersecurity strategy is, a few gaps and challenges were identified in the national cybersecurity legislation and policy environment. These are summarised as follows:



#### *4.2. Identify the Water and Wastewater System Function, Actors and Interconnections*

The purpose of this analysis exercise was to identify all the important stakeholders (actors) for the provision of quality water and wastewater services as well as cyber protection of the water infrastructure (function), which legislation and policies (interconnections) are responsible for the functions, and whether these delineate cybersecurity-related roles and responsibilities. On the one hand, the key stakeholders, such as the DWS, water boards and Trans-Caledon Tunnel Authority responsible for the provision of quality water and wastewater services, were identified in Section 2.3.1. On the other hand, pieces of legislation, such as the National Water Act, Water Services Act and Water Research Act, and policy, such as the National Water and Wastewater Master Plan, were identified in Section 2.3.2. These determine the interrelationships among the stakeholders in the water and wastewater sector for the provision of quality water and wastewater services. However, further analysis revealed that no cybersecurity-related roles and responsibilities are defined in the water and wastewater sector legislation and policies. This means that the water and wastewater sector is what SEBoK Editorial Board [88] refers to as an independent system (see sector system in Figure 3) comprised of its own components configured in such a way as to achieve its unique purpose within the national system.

#### *4.3. Identify the Water and Wastewater System as an Actor in the National Cybersecurity System*

The purpose of this analysis exercise was to identify which of the national cybersecurity stakeholders represent the water and wastewater sector. Analysis revealed that the *Public sector CSIRTs* in the 'OTHER ORGANS OF STATE' block in Figure 5 represents the water and wastewater sector as an actor or stakeholder within the bigger national cybersecurity system. Moreover, all national, provincial, and local governmen<sup>t</sup> departments as well as state-owned entities are also represented by the public sector CSIRTs. As shown in Figure 5, the public sector CSIRTs have a direct interconnected relationship with the ECS-CSIRT located in the SSA.

According to Sutherland [38], the ECS-CSIRT is actually Electronic Communications Security (Pty) Ltd. or COMSEC Pty Ltd., a private enterprise established in 2002 and mandated by the SSA to ensure protection of critical electronic communications. Like many other public sector and industry CSIRTs, the water and wastewater sector CSIRT is ye<sup>t</sup> to be established. Since no cybersecurity-related roles and responsibilities are defined in the water and wastewater legislative and policy environment, only one option is left: the national cybersecurity legislative and policy environment. To determine whether and how the existing national cybersecurity legislative and policy environment delineates the water and wastewater cybersecurity responsibilities, the interconnected relationships between the two systems were analysed.

#### *4.4. Analyse Interrelations between the Water and Wastewater and National Cybersecurity Systems*

The purpose of this analysis exercise was to determine if and whether the existing national cybersecurity legislation and governmen<sup>t</sup> policies delineate water and wastewater cybersecurity role and responsibilities. It was found that the water and wastewater legislation and policies give no provision for the sector's critical cyber and physical infrastructure protection. Instead, analysis revealed that the cybersecurity roles and responsibilities to provide for the sector's critical cyber and physical infrastructure protection, and indeed those of other sectors, are drawn mainly from the NCPF [65], Cybercrimes Bill [69], CIPA [70], POPI Act [71], RICA [72], ECT Act [73], and PAIA [74]. For example, the NCPF states that

the SSA shall, among other things, be required to "initiate and lead a process" [65] (p. 27) for the establishment of public sector CSIRTs while the Cybersecurity Hub at the DCDT should do the same with private sector CSIRTs and civil society stakeholders [65] (p. 18).

**Figure 5.** Water and wastewater system as an actor within the national cybersecurity system.

It has already been established in the previous section that the water and wastewater sector is represented by the public sector CSIRTs block in the national cybersecurity governance structure. The cybersecurity roles and responsibilities of sector CSIRTs are delineated in Section 6.3.6 of the NCPF and require, among others, that sector CSIRTs "establish national security standards and best practices for the sector in consultation with the Cybersecurity Centre (located in the Ministry of State Security) and the JCPS CRC, which are consistent with guidelines, standards and best practices developed in line with the NCPF" [65] (pp. 18–19). Along with other defined roles, this role interconnects the water and wastewater sector as an actor with other stakeholders or actors/elements inside and outside the national cybersecurity system to achieve the nation's function or purpose of securing against cyberattacks. Additionally, cybercrimes and concomitant penalties from such cyberattacks are defined in the Cybercrimes Bill and ECT Act as supported by other mentioned key legislation and policies. These are the interconnections of the national cybersecurity and water and wastewater systems. Therefore, the water and wastewater system's cybersecurity purpose, stakeholders, and legislation and policies are only defined when the sector is an actor—public sector CSIRT—within the national cybersecurity system. The ramifications of these findings as they pertain to the aim of the study are therefore discussed in detail.
