Farys is a modern organization that rolls out activities focused on the drinking water supply to private individuals and companies in Flanders. In addition, Farys manages waste water and sports infrastructures such as swimming pools in various Flemish municipalities. About a thousand employees look after the drinking water supply to around 700,000 families and businesses. In 2020, it had nearly 668 km of supply pipes, 11,733 km of distribution pipes and supplied more than 91 million m³ drinking water.
IT plays an important role in ensuring the smooth operation of these activities. It is important not only for administrative aspects, including the correct processing and issuing of more than two million Farys invoices per year. Farys has also invested in an online customer portal (MyFarys), where customers can quickly manage their own arrangements. For example, if they need to change their address when moving house, manage their data or change the amount of the interim invoices. “We also need a very specific OT technology, which allows us to manage all our facilities for both the production and the transport and delivery of drinking water”, says Inge Opreel, ICT department manager at Farys/TMVW. “And IT also helps to support our staff in the field, who work entirely on a mobile basis. In short, IT is crucial for Farys.”
In the beginning of 2021, Farys was named a ‘provider of essential services’, which means that Farys has to comply with the NIS regulations. Along with all Flemish water utility companies, Farys decided to meet the strict ISO 27001 standard. “The Belgian NIS legislation provides that if you are ISO 27001 certified, you automatically meet all the provisions of the NIS legislation,” says Inge Opreel. “We were already working intensively on cybersecurity, of course. But you can see that cybersecurity has now moved higher up the agenda.”
It was not only the NIS legislation that served as a trigger to invest more and more in cybersecurity. Other triggers include ones you can see in the outside world. Cases of hacking are increasingly in the news. “Among others, the hacking of a drinking water company in Florida and of the Colonial Pipeline gave the dangers of cybercrime in our sector greater visibility within our organization”, according to Inge Opreel.
The great challenge to an IT team in this sector is the extensive geographical spread of the various drinking water facilities. “Insight into the data flows within the OT network is crucial in the event of a cyber incident”, explains Inge Opreel.
From the moment when the NIS legislation was first discussed in relation to water utility companies, Farys together with Orange Cyberdefense began to examine the impact this would have on them. Even before Farys was designated a provider of essential services, it had begun to take a number of preparatory measures. This included a complete risk assessment of Farys as an organization, as well as of all facilities. “This gave rise to a number of action items and measures that had to be implemented – according to a pre-defined roadmap – in order to obtain the IS0 27001 certificate by the end of 2023.” The focus for the coming years is thus chiefly on the implementation of the Information Security Management System (ISMS).
In addition to the technological and process-related factors, it is the human factor that is of particular importance. Farys is therefore devoting great attention to training its staff so that they are not only familiar with the correct procedures but also and more importantly learn how to handle information and access to systems safely.
Orange Cyberdefense has for years been a trusted partner in the area of IT security. “One of the aspects for which it stands out from among the other parties is their expertise and long-standing experience in cybersecurity. Moreover, they have a very good knowledge of the drinking water sector, which has very specific requirements as regards security”, notes Inge Opreel.
The long-term partnership is also an added value, according to the ICT department manager. “They know our company thoroughly and are well acquainted with our approach to things, and they adjust their own methods to our specific situation. In addition, Orange Cyberdefense is very pragmatic in its orientation, and that is something we appreciate. We are a company that deals not only with theory but wants to see how things can be implemented quickly and easily in practice.”
The advantage of collaborating with Orange Cyberdefense is evident from the fact that the businesspeople at Farys are more aware of potential breaches of security that might occur. This is due entirely to the risk analysis that Farys carried out together with Orange Cyberdefense. “By guaranteeing a secure (IT) environment, Farys is a valued partner and this process has contributed to the good reputation we enjoy among our customers”, says Inge Opreel.
In terms of technology, the IT team now has a better overview of the OT network, which was formerly lacking. “The industrial network (OT or Operational Technology) plays a crucial role in Farys’ service provision. The OT network is one of the most important elements in need of protection, since we need it in order to secure the supply of drinking water. But the greatest advantage, I find, is that IT works closely in this regard with business in a relationship of trust, and is not regarded as a sort of bogeyman that imposes restrictions and incomprehensible measures on its way of working. We are seen as a true partner”, Inge Opreel tells us proudly.
One of the next steps that Farys wishes to take is the roadmap for further implementing the Information Security Management System (ISMS). “In addition, we also hope, in collaboration with other companies in the sector, to set up a Security Operations Center. This would allow us to monitor our extensive IT and OT network 24/7 and to receive