BIO BBN2: A Practical Guide for Water Boards

The Baseline Informatiebeveiliging Overheid (BIO) is the Dutch government’s information security framework, replacing the earlier BIG, BIR, and BIWA standards. It is based on ISO 27001/27002 and defines three protection levels (Basisbeveiligingsniveaus or BBNs).

Dutch water boards (waterschappen) typically operate at BBN2 — the level required for information that is confidential but not state-secret. This covers most operational data including SCADA systems, financial records, and citizen data.

BBN2 requires implementing all BBN1 controls plus additional measures for confidentiality. The full BIO framework contains approximately 130 controls at BBN2 level, mapped across 14 chapters aligned with ISO 27002.

Water boards face unique challenges because they operate both traditional IT infrastructure and operational technology (OT) for water management. Key BIO BBN2 control areas include:

Asset management (Chapter 8): Maintain a complete inventory of information assets, including SCADA/ICS systems, network equipment, servers, and endpoints. Each asset must have an assigned owner and classification level.

Access control (Chapter 9): Implement role-based access control with the principle of least privilege. Separate IT and OT network access. Enforce MFA for all remote access and administrative functions.

Cryptography (Chapter 10): Encrypt sensitive data at rest and in transit. Use PKIoverheid certificates where required. Document your key management procedures.

Physical security (Chapter 11): Secure physical access to pump stations, water treatment facilities, and data centres. Implement logging of physical access.

Operations security (Chapter 12): Maintain documented operating procedures. Implement change management. Monitor and log all system activities. Protect against malware.

Communications security (Chapter 13): Segment networks between IT and OT. Monitor network traffic. Secure data transfer agreements with third parties.

Supplier relationships (Chapter 15): Assess and monitor the security of all suppliers. Include security requirements in contracts. Conduct regular supplier audits.

Based on audit findings across Dutch water boards, the most common BIO BBN2 compliance gaps are:

1. Incomplete asset inventory — Many water boards lack visibility into their full OT estate. Legacy SCADA systems are often undocumented or managed outside of IT.

2. Network segmentation — IT and OT networks are not always properly segmented. A breach in the office network should not be able to reach water treatment controls.

3. Patch management — OT systems often run outdated software due to vendor restrictions or availability requirements. A risk-based approach to patching is needed.

4. Incident response — Incident response plans exist but are not regularly tested. Tabletop exercises should be conducted at least twice per year.

5. Logging and monitoring — Centralised logging is incomplete. Critical systems generate logs, but they are not correlated or actively monitored.

6. Supplier management — Third-party access to OT systems is not always logged or reviewed. Vendor remote access sessions should be monitored in real-time.

A practical approach to achieving BIO BBN2 compliance:

Phase 1 (Months 1–2): Discovery and gap analysis. Conduct a full asset inventory including OT systems. Map current controls to BIO BBN2 requirements. Identify and prioritise gaps.

Phase 2 (Months 3–4): Quick wins. Implement MFA everywhere. Deploy network monitoring. Establish centralised logging. Document your incident response plan.

Phase 3 (Months 5–8): Structural improvements. Implement network segmentation between IT and OT. Deploy vulnerability management. Establish supplier security assessments. Conduct security awareness training.

Phase 4 (Months 9–12): Maturity and audit readiness. Conduct internal audits. Run penetration tests. Perform tabletop exercises. Prepare evidence packages for external audit.

A platform like Gatekeeper supports this roadmap by providing the automated discovery, continuous monitoring, and compliance tracking needed at every phase.