2.3.1. Water Stakeholders

Two water and sanitation strategic documents were reviewed to identify the stakeholders legally mandated to provide water and wastewater services in South Africa. These are the national water and sanitation master plan [78] and the latest Department of Water and Sanitation (DWS) annual report [77]. In these two documents, the key water and wastewater stakeholders from the public sector and their roles and responsibilities are clearly defined. The following are the identified key stakeholders in the water and wastewater sector of South Africa [77,78]:


Note that the water boards/regional water utilities, catchment managemen<sup>t</sup> agencies, water service authorities, water service providers and water-user associations are stakeholder categories that represent many water organisational entities. For example, the water service providers category includes both the public and private sector entities. Thus, the stakeholder categories above are representative of all the key stakeholders in the water and wastewater sector of South Africa. In addition to the stakeholders, the appropriate water legal framework is required for ensuring that the water resources of the country are sustainably consumed, managed, and protected.

#### 2.3.2. Water Legislation and Policies

Sources from [79–82] were reviewed to identify legislation and policies governing the water and wastewater sector of South Africa. Similar pieces of legislation and governmen<sup>t</sup> policies in the sources were listed once below. All other pieces of legislation and policies are listed without exception below:




The words "secure", "security" and "protection" were searched in each of the pieces of legislation and policies above. The idea was to determine if and whether provisions for cyber critical infrastructure protection are made. The review revealed water cybersecurity gaps and challenges as discussed in the next section.

2.3.3. Water Cyber Critical Infrastructure Protection Challenges

A review of the legislation and policies identified in the previous section revealed that their purposes are essentially about providing for an integrated water resources managemen<sup>t</sup> agenda [83]; a technique for planning, monitoring, and managing water resources in a coordinated manner. The legislation and policies contain nothing relating to the protection of critical cyber and physical infrastructure as described in Table 4.

**Table 4.** Water cyber critical infrastructure protection challenges.


Table 4 indicates that the closest reference to some kind of protection is in the National Water Act, which in addition to the protection of raw water in South Africa, provides for the governance of raw water, including the development, consumption, management, and control of aquatic ecosystems [78]. The Strategic Framework on Water Services of 2003 also mentions protection of water assets albeit as it pertains to the repair, maintenance, and rehabilitation of water systems. Therefore, no provision for critical cyber and physical infrastructure protection is made in all the water and wastewater legislation and policies. A review of the existing international, national, and sector (water and wastewater) cybersecurity legislative and policy environments has been conducted in this section. The review identified the national and water and wastewater sector cybersecurity gaps and challenges. What is not clear thus far is how the water and wastewater sector interrelates with the national cybersecurity legislative and policy environment.
