Cybersecurity Policy and the Legislative Context of the Water and Wastewater Sector in South Africa

: The water and wastewater sector is an important lifeline upon which other economic sectors depend. Securing the sector’s critical infrastructure is therefore important for any country’s economy. Like many other nations, South Africa has an overarching national cybersecurity strategy aimed at addressing cyber terrorism, cybercriminal activities, cyber vandalism, and cyber sabotage. The aim of this study is to contextualise the water and wastewater sector’s cybersecurity responsibilities within the national cybersecurity legislative and policy environment. This is achieved by conducting a detailed analysis of the international, national and sector cybersecurity stakeholders; legislation and policies; and challenges pertaining to the protection of the water and wastewater sector. The study found some concerning challenges and improvement gaps regarding the complex manner in which the national government is implementing the cybersecurity strategy. The study also found that, along with the National Cybersecurity Policy Framework (the national cybersecurity strategy of South Africa), the Electronic Communications and Transactions Act, Critical Infrastructure Protection Act, and other supporting legislation and policies make provision for the water and wastewater sector’s computer security incidents response team to be established without the need to propose any new laws or amend existing ones. This is conducive for the immediate development of the sector-speciﬁc cybersecurity governance framework and resilience strategy to protect the water and wastewater assets.


Introduction
Goal 16 of the United Nations' (UN) 17 sustainable development goals is intended to "promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels" [1]. But peace, justice and strong institutions [1] require strengthening coordination among various international and domestic stakeholders. Critical infrastructure protection also requires the strengthening of coordination among international and domestic stakeholders. The United States of America (USA) defines critical infrastructure according to the 2013 Presidential Policy Directive No. 21, as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." [2] (p. 37). The study has adopted this as the baseline definition of a critical infrastructure.
An example of a water-specific critical infrastructure is the Latvian water supply and sewerage enterprises association [3] which oversees 27 member organisations [4]. In Austria, there are approximately 5500 water utilities, 1900 community-based utilities, 165 water supply associations and 3400 water supply cooperatives [5]. Having a regularly updated inventory list of such critical infrastructures is a good practice [6]. However, an effective cyberlegislation is not only vital for identifying and classifying but maintaining a country's infrastructure and protecting its citizens [6,7].
In many countries, the water and wastewater supply systems are classified as critical infrastructure as they are vital to national public health and economic security. Thus, prolonged interruptions of such critical infrastructures would naturally result in deteriorating public health and economic losses [5]. It is therefore crucial to understand the cybersecurity policy trends and discussions [7] to ensure proper coordination of cybersecurity activities in a country. This paper explores South Africa's water and wastewater sector cybersecurity responsibilities within the national and international policy context. This highlights how well-defined policy regulations in any country could ensure coordination of stakeholder roles and responsibilities for carrying out water-specific critical infrastructure cybersecurity activities. Thus, failure to define and implement effective cyberlegislation and policies could have devastating impact on the protection of water and wastewater critical infrastructure.
In South Africa, the government gazetted the National Cybersecurity Policy Framework (NCPF) in 2015, which aimed at addressing cyber terrorism, cybercriminal activities, cyber vandalism, and cyber sabotage [8,9]. As the overarching national cybersecurity strategy of South Africa [9], the NCPF provides a governance process and guidelines to respond to cybersecurity threats and attacks against the country [8,9]. In the cybersecurity domain, policies outline the objectives and limitations of a strategy [10] to provide for measures to be put in place for the protection, safeguarding, and resilience of assets [11]. Thus, adopting the most recent cybersecurity technologies is only effective when deployed within the guidelines of a clearly defined and enforceable policy [10]. Since the adoption of the NCPF, South Africa has been actively conducting cybersecurity assessments, audits, and readiness exercises in different public sector entities as part of the implementation of the cybersecurity strategy. Water and wastewater is one such sector that needs to conduct its own cybersecurity assessments, audits, and readiness exercises. Failure to conduct these periodically could increase the risk and intensify severity of a cyberattack to critical water infrastructure [12].
For example, an attacker may use the cyber kill chain-reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and action on their objectives-to gain entry into the victim's environment through the corporate information technology (IT) domain and then move laterally to the operational technology (OT) domain to launch attacks on critical infrastructure [13]. OT is a collective term for industrial control systems (ICSs), supervisory control and data acquisition (SCADA) systems, and other industrial monitoring and control processes [14,15]. ICSs and SCADA systems are essentially the backbone of critical infrastructures worldwide, including water supply systems, electricity grids, and transportation and telecommunication networks [16,17]. A well-documented cyberattack of a water supply system which took three months to detect occurred at the Maroochy water treatment plant in Australia [18]. This cyberattack took place in 2000, when SCADA systems began experiencing loss of communication, false alarms, and loss of pump controllability due to altered configurations [12,13,19]. This resulted in nearly 1 million litres of raw sewage spilling into rivers, parks, and residential areas, causing damage to the environment and costing society a lot of money [14,16,20,21].
The cyberattack example above demonstrates that cybersecurity can significantly affect sustainability. All three pillars of sustainability-social, environmental or ecological, and economic [19]-were impacted. The social pillar was impacted as a result of the raw sewage spillage in residential areas, including the grounds of a hotel [20]. The death of marine life and unbearable stench, as reported by the Australian Environmental Protection Agency [16], shows the extent to which the environmental pillar was affected. Lastly, all these damages cost the Maroochy Shire Council and the state of Queensland money to clean up and rehabilitate the environment. Thus, the economic pillar of sustainability was also greatly impacted upon. It is also clear from this incident that the sustainability pillars can also be viewed as three distinct and yet interacting systems [21]. That is, if one Sustainability 2021, 13, 291 3 of 33 system/pillar is compromised, the other two will be equivalently affected in an attempt to return to the natural state of equilibrium [22,23].
In light of this, the paper aims to contextualise the water and wastewater sector's cybersecurity responsibilities within the national cybersecurity legislative and policy environment of South Africa. This will determine if and whether there is a need to propose any new legislation and/or policies, or amend existing ones, to address the cybersecurity requirements of the sector. A systems thinking method is adopted to achieve the study's aim by examining the interrelationships between the water and wastewater sector and national cybersecurity legislative and policy environments as one system rather than independent and unrelated elements.
This introductory section provides the background and context of the study problem. The rest of the paper is structured as follows: Section 2 outlines the international, national (South Africa), and sector (South African water and wastewater sector) cybersecurity policy and legislative environments; Section 3 describes the systems thinking research methodology adopted in the paper to contextualise the water and wastewater sector's cybersecurity responsibilities within the South African cybersecurity legislative and policy environment; Section 4 presents the results; and Section 5 discusses the findings. The policy recommendations of the study are outlined in Section 6 and the conclusion presented in Section 7.

Cybersecurity Policy and Legislative Environment
A cybersecurity policy helps to chart a course of action for ensuring security of cyberspace by defining collective and individual regulatory, legal, technical, behavioural, organisational, and international responsibilities in pursuit of cybersecurity [24,25]. Cybersecurity is therefore a shared responsibility for national governments, economic sectors, and organisations and/or individual digital device end-users [26]. The shared cyber defence responsibilities are usually coordinated by nation states to develop capabilities to achieve cyber resilience, reduce cybercrime, and secure critical national infrastructure while developing industrial and technological resources for cybersecurity [27]. In this section, the researchers reviewed the international, national, and sector (water and wastewater) cybersecurity literature to identify the stakeholders involved and existing policy and legal environment.

International System
In the digital era, cybersecurity is of paramount importance for economic competitiveness and continuity of trade for organisations of all types and sizes. As the United Nations Economic Commission for Europe (UNECE) [28,29] asserts, cyberthreats cut across any social and economic activities nationally, regionally, and internationally. It is therefore prudent to explore available international cybersecurity cooperation mechanisms for the protection of critical infrastructure, including water and wastewater critical infrastructure. Of particular focus in this section are the key international cybersecurity stakeholders involved, applicable laws, and the challenges encountered when implementing cybersecurity practices.

International Cybersecurity Stakeholders
In the protection of critical water-related infrastructure cybersecurity webinar held on 18 November 2020 by the World Meteorological Organisation [30], it was indicated by one of the UNECE speakers that work encouraging common regulatory frameworks in specific sectors with critical impact on sustainable development is under way at the UN. This includes a report on the sectoral initiative on cybersecurity by the UNECE [28], albeit not one specifically focused on the water-related infrastructure sector. This makes the UN one of the important international cybersecurity cooperation stakeholders. In addition, some of the regional and other international stakeholders relevant to South Africa's cybersecurity endeavours were reviewed in Appendix A and are as follows: • African Union The African Network Information Centre is missing in Appendix A and is regarded by Dlamini [31] as a relevant stakeholder on the African continent regarding security of cyberspace. The next section explores some of the available treaties and conventions governing international cybersecurity cooperation and the interrelationships between the stakeholders mentioned above.

International Cybersecurity Laws
The 2001 Budapest Convention, which is the Convention on international cybercrime by member states of the Council of Europe and other non-member states [32], is the first international cooperation mechanism on issues relating to cybersecurity and cybercrime [33]. It attempts to provide signatory states with a common international policy to fight harmoniously against cybercriminals [34]. Of the 47 member states of the Council of Europe, only one-the Russian Federation-has not signed [35], citing infringement of its (internet) sovereignty [36]. Ireland and Sweden are the only two member states that have signed but never ratified [35].
There are several non-member states that have not signed and/or ratified the Budapest Convention. These include countries such as Brazil, Nigeria, and New Zealand. In the Brazil-Russia-India-China-South Africa (BRICS) bloc, only South Africa has signed the Convention but has never ratified [37,38]. Thus, the total number of signatures not followed by ratifications stands at three-South Africa, Ireland, and Sweden-as of 10 November 2020. In addition, the total number of ratifications now stands at 65 [35]. Since accession to the Convention is by invitation only for non-member states such as those in the BRICS bloc, no truly binding international cybersecurity and cybercrimes agreement is currently in place [33]. On the African continent however, the African Union (AU) adopted the AU Convention-Convention on Cyber Security and Personal Data Protection in June 2014 [36,38,39]. According to Coleman [39], the AU Convention provides a framework for personal data protection which member countries may transpose into their domestic legislation but requires at least 15 countries to be ratified and take effect. At the time of writing, the AU Convention had been signed by 14 member countries out of 55, and ratified by 8 [40]. South African has not yet signed the AU Convention.
There has since been other efforts for international cooperation regarding cybersecurity and cybercrimes, such as the UN General Assembly resolution 70/237 adopted on 23 December 2015 [41]; the world summit on the information society's (WSIS) Geneva Plan of Action [42]; Global Cybersecurity Agenda by the International Telecommunication Union [33] crime as the only treaty that is binding to its member states. Clough [33] (p. 725), however, cautions that the Convention is only effective when all member states have capacity in place to enact "domestic legislation across the spectrum of substantive and procedural laws and to put in place mechanisms for international cooperation." Some of the international cybersecurity implementation gaps and challenges in the water and wastewater sector are explored in the next section.

International Water-Specific Cybersecurity Challenges
It was mentioned earlier that ICSs are essentially the backbone of critical infrastructures worldwide, including of the water and wastewater critical infrastructure. The introduction of cyber connectivity into ICS environments has increased the vulnerability of all types of critical infrastructures to cyberattacks [3,[45][46][47]. Recently, the USA's cybersecurity and infrastructure security agency (CISA) [48] has reported compromises on critical infrastructures, government agencies, and private sector organisations through a thirdparty contractor network management tool called SolarWinds Orion platform. According to CISA [48], this advanced persistent threat (APT) [49] began approximately in March 2020, with evidence suggesting that there are additional initial access vectors other than the SolarWinds Orion platform. APTs are cyberattacks carried out repeatedly over an extended period of time by actors with significant resources and sophisticated levels of expertise [20].
The Australian and USA critical infrastructure cyberattacks point to supply chain compromises [11,25,50,51]. Some of the challenges of implementing cybersecurity safeguards on critical infrastructures, including the water and wastewater critical infrastructure, are summarised in Table 1. Table 1. International water-related cybersecurity implementation challenges.

Challenge Description Source
Supply chain compromises Third-party contractors and vendors are used as access vectors to the intended victim's computer networks. [12,48,52] Increased cyber connectivity Introduction of internet communication protocols to industrial control systems (ICSs) exposes them to security risks through the IT domain. [12,13,53] False sense of security by obscurity Older supervisory control and data acquisition (SCADA) systems were isolated from corporate IT networks. With increasing cyber connectivity, they become difficult to secure due to design for safety and performance. [53,54] Network misconfigurations Vulnerable computer network as a result of the misconfiguration of the firewall and related tools. [45,55,56] No media protection enforcement Data theft due to a lack of removable media policy enforcement. [57] Unsecured remote access Remote access to ICSs through untrusted devices, usually by third-party contractors and vendors increases cyber risk. [53,58] Undocumented policies and procedures Undocumented cybersecurity policies and procedures make enforcement and compliance difficult. This inevitably increases organisational cyber risk. [20,56] Untrained personnel Training and awareness of staff achieves significant cybersecurity improvements. The opposite also applies. [20,59,60] The above-mentioned challenges of implementing water-related and other critical infrastructure cybersecurity safeguards are mostly at an organisational level [61]. However, government policy and legislation and international cooperation on fighting cybercrime can help deter the would-be attackers in various ways. For example, they can regulate and help improve the information flows, enable collaborative interrelationships, highlight best practices for different sectors, track and monitor emerging cybersecurity technologies, and increase cyber risk awareness and training among citizens [26]. South Africa's national cybersecurity legislation and government policies are reviewed in this regard.

National System
To develop an effective cybersecurity strategy for the water and wastewater sector, it is prudent to first understand policy discussions at the national level [7]. On 23 March 2012, the NCPF was adopted by the South African Cabinet [36,[62][63][64] and gazetted by the Minister of State Security on 23 September 2015 [65]. As the national cybersecurity strategy, the NCPF has six key objectives that can be summarised as "centralise coordination of cybersecurity activities, by facilitating the establishment of relevant structures, policy frameworks and strategies in support of cybersecurity in order to combat cybercrime, address national security imperatives and to enhance the information society and knowledge-based economy" [65] (p. 15). The NCPF's supporting legislation and policies were reviewed to determine where and how the water and wastewater sector fits in, if at all.
A review of the NCPF has since been done by various other researchers over the years, as detailed in Appendix A of this paper. Appendix A could have excluded all work published prior to September 2015, which was when the NCPF was officially gazetted. This is because, as discussed in later sections, some of the conclusions drawn from such work might currently be invalid or partially valid due to subsequent insertions, substitutions, and/or repeals of some pieces of legislation supporting the NCPF, notwithstanding the mergers and renaming of some government departments. However, it was decided that the essence of the content of some of the previous research work-such as stakeholders involved, coordination structure, and perceived gaps and challenges-remained relevant. Appendix A therefore includes the NCPF review work from 2013 onwards, that is, the period after which the South African Cabinet adopted the NCPF in 2012.

National Cybersecurity Stakeholders
Review work of the national cybersecurity stakeholders was conducted in Appendix A. Stakeholders that are mentioned multiple times in Appendix A are listed once below as either domestic or foreign. All other stakeholders are listed below without exception. It should thus be noted that not all of these are necessarily key stakeholders to the implementation of the national cybersecurity strategy. The domestic stakeholders relevant to the national cybersecurity endeavours as reviewed in Appendix A are as follows: The key national and domestic stakeholders as defined in the NCPF can be represented, as shown in Figure 1. As shown in Figure 1 and delineated in the NCPF, the key organs of state that play a critical role in the implementation of the cybersecurity strategy [65] are dominated by the Justice, Crime Prevention and Security (JCPS) cluster [66]. According to the Government of South Africa [67], the JCPS cluster is made up of the Presidency, the Ministry of Defence and Military Veterans, the Ministry of State Security, the Ministry of Justice and Correctional Services, the Ministry of Police, the Ministry of Home Affairs, the Ministry of International Relations and Cooperation, the Ministry of Finance, the Ministry of Small Business Development, the Ministry in the Presidency for Women, Youth and Persons with Disabilities, and the Ministry of Social Development. In Figure 1, the bidirectional arrows are not reporting lines. They represent information flow within and outside the national cybersecurity system. All other organs of state, including but not limited to those listed above, are required to align their cybersecurity and Information and Communications Technology (ICT) policies and practices with the NCPF [65]. Effectively, Figure 1 shows the cybersecurity coordination and management structure in South Africa. The coordination is performed by the JCPS Cybersecurity Response Committee (CRC) [67] that is operationally supported by the Cybersecurity Centre in the SSA [65]. This inter-ministerial All other organs of state, including but not limited to those listed above, are required to align their cybersecurity and Information and Communications Technology (ICT) policies and practices with the NCPF [65]. Effectively, Figure 1 shows the cybersecurity coordination and management structure in South Africa. The coordination is performed by the JCPS Cybersecurity Response Committee (CRC) [67] that is operationally supported by the Cybersecurity Centre in the SSA [65]. This inter-ministerial coordination is managed and facilitated through various pieces of legislation and government policies.

National Cybersecurity Legislation and Policies
Review work of legislation and government policies used for the implementation of the national cybersecurity strategy was conducted in Appendix A. Similarly, pieces of legislation and policies that are mentioned multiple times in Appendix A are listed once below. All other pieces of legislation and policy are listed below without exception. It is therefore acknowledged that not all of these are necessarily key cybersecurity legislation and policies for the implementation of the national cybersecurity strategy. It is also acknowledged that not all cybersecurity-relevant legislation and policies are reflected in Appendix A. For example, as mentioned in the NCPF [65], the Electronic Communications Security Proprietary (Pty) Limited (Ltd) Act 68 of 2002 was not reflected in the review work in Appendix A. Nonetheless, the legislation and policies relevant to the national cybersecurity endeavours as reviewed in Appendix A are as follows: Achievement of the six key objectives of South Africa's national cybersecurity strategy is therefore distributed among 37, and probably more, different pieces of legislation and government policies [37,38]. This is the legal framework for national cybersecurity governance and resilience in South Africa. Harmonising and aligning these [37] could make the currently complex coordination and management of the national cybersecurity endeavours [38] a bit easier. In addition to the Constitution [68], it would appear from Appendix A that seven pieces of legislation and government policies in particular are key to the implementation of the national cybersecurity strategy as they are repeatedly mentioned. These are shown in Figure 2  Review of the six individual pieces of legislation and one policy in Figure 2 revealed that some older laws-those enacted prior to the democratic dispensation in 1994-have since been repealed while others have been amended to respond to changing needs and to align with the country's constitution. It is worth highlighting a few of these in Table 2 as they relate to cybersecurity and cybercrimes in South Africa. Revised and approved as the Cybercrimes Bill by the National Council of Provinces on 1 July 2020. Review of the six individual pieces of legislation and one policy in Figure 2 revealed that some older laws-those enacted prior to the democratic dispensation in 1994-have since been repealed while others have been amended to respond to changing needs and to align with the country's constitution. It is worth highlighting a few of these in Table 2 as they relate to cybersecurity and cybercrimes in South Africa.

Monitoring and
There are many other repeals and amendments but those are beyond the scope of the study. However, as one of the key cybersecurity laws in South Africa, it is imperative to highlight that, as shown in Table 2, sections 85 to 88 (cybercrime offences) of the ECT Act [73] have since been repealed and substituted by sections 2 to 12 of the newly approved Cybercrimes Bill [69]. Moreover, section 89 (cybercrime penalties) of the ECT Act has also been amended as outlined in section 58 of the Cybercrimes Bill. A review of the NCPF also revealed a few implementation gaps and challenges.

National Cybersecurity Challenges
The review work in Appendix A revealed that, apart from the fact that the current coordination and management of the national cybersecurity strategy of South Africa is complex and should be simplified [37,38], a few challenges were identified. Although Appendix A revealed more than ten gaps and challenges, these can be aggregated into the ten described in Table 3. Table 2. National cybersecurity legislation amendments and repeals.

Legislation Current Status
Computer Some of the challenges in Table 3 are similar to those experienced in other countries, for example, the limited collaboration and information sharing among various sectors and inadequate cybersecurity skills in Turkey [75]. Identifying and classifying critical infrastructure and updating the inventory on a regular basis is a challenge [6]. This is highlighted by White [2] in regards to the USA's Department of Homeland Security's need to develop guidelines to classify critical infrastructure sectors. In the case of Turkey, what [75] found was that if a sector is predominantly managed by private entities, the general cybersecurity posture tends to be more mature, and vice versa. In the case of the USA, however, the Department of Homeland Security is not a private entity. Perhaps cybersecurity issues are not that straightforward as stakeholder roles and responsibilities are often not as obvious, and moreover, the required security levels are also difficult to define [76]. The complex nature of the current coordination and management of the national cybersecurity strategy [37,38] may not be unique to South Africa after all. It is, however, important to understand how the cybersecurity gaps and challenges in Table 3 impact the water and wastewater sector's cybersecurity responsibilities. In this regard, the water and wastewater legal context was reviewed to determine whether and how it addresses protection of the sector's critical cyber infrastructure.

Sector System
The Constitution of South Africa and specifically the Bill of Rights enshrines the basic human right to have access to adequate drinking water in section 27(1)(b), an environment that is not harmful to human health or well-being in section 24(a), and a healthy and safe environment in section 152(1)(d) [68]. These constitutional rights mandate the state in section 27(2) of the Constitution [68], through the Department of Water and Wastewater (DWS), to ensure that the water resources of the country are sustainably consumed and managed as well as protected [77]. Table 3. National cybersecurity challenges.

Challenge Description
Poor public-private partnerships track record There is generally a poor track record of inter-ministerial coordination of government projects. It becomes even complex when stakeholders from industry, civil society, and special interest groups are involved.

Insufficient technical cybersecurity skills and user awareness education in South Africa
Development of technical cybersecurity skills must be prioritised by government. Public user education and awareness are pertinent aspects to preventing spoofing and phishing related cybercrimes in the country.

Independent and uncoordinated cybersecurity awareness initiatives
Currently, disparate and uncoordinated cybersecurity awareness training initiatives do exist. An integrated and coordinated approach to educating the public digital user about the dangers of cyberspace would be more effective.

Missing sector CSIRTs
With the exception of the banking sector which has the South African Banking Risk Information Centre (SABRIC), missing sector CSIRTs refers to the absence of CSIRTs in major sectors of the country, for example, in the mining, aviation, and agricultural sectors. These would be effective in sector information sharing and national coordination of cybersecurity incident responses.

Requirement for the establishment of new and dedicated cybersecurity institutions
The most critical cyber threats in South Africa are to the national critical infrastructure, intelligence agencies, and military. While the military and intelligence agencies are to some degree equipped to tackle cybersecurity, the provincial and local governments as well as the private sector operate and manage the vast majority of the national critical infrastructure. These entities must also be equipped to effectively protect the national critical infrastructure in a coordinated manner. This warrants the establishment of new and dedicated cybersecurity institutions.

Implementation of critical infrastructure protection still in abeyance
Protection of critical infrastructure is key in advanced cybersecurity strategies and must include strategies for cyber resilience and crisis management.
Regulations are yet to be promulgated to implement the Critical Infrastructure Act.
Outstanding commitment to existing security conventions

Water Stakeholders
Two water and sanitation strategic documents were reviewed to identify the stakeholders legally mandated to provide water and wastewater services in South Africa. These are the national water and sanitation master plan [78] and the latest Department of Water and Sanitation (DWS) annual report [77]. In these two documents, the key water and wastewater stakeholders from the public sector and their roles and responsibilities are clearly defined. The following are the identified key stakeholders in the water and wastewater sector of South Africa [77,78] Note that the water boards/regional water utilities, catchment management agencies, water service authorities, water service providers and water-user associations are stakeholder categories that represent many water organisational entities. For example, the water service providers category includes both the public and private sector entities. Thus, the stakeholder categories above are representative of all the key stakeholders in the water and wastewater sector of South Africa. In addition to the stakeholders, the appropriate water legal framework is required for ensuring that the water resources of the country are sustainably consumed, managed, and protected.

Water Legislation and Policies
Sources from [79][80][81][82] were reviewed to identify legislation and policies governing the water and wastewater sector of South Africa. Similar pieces of legislation and government policies in the sources were listed once below. All other pieces of legislation and policies are listed without exception below: The words "secure", "security" and "protection" were searched in each of the pieces of legislation and policies above. The idea was to determine if and whether provisions for cyber critical infrastructure protection are made. The review revealed water cybersecurity gaps and challenges as discussed in the next section.

Water Cyber Critical Infrastructure Protection Challenges
A review of the legislation and policies identified in the previous section revealed that their purposes are essentially about providing for an integrated water resources management agenda [83]; a technique for planning, monitoring, and managing water resources in a coordinated manner. The legislation and policies contain nothing relating to the protection of critical cyber and physical infrastructure as described in Table 4. Table 4. Water cyber critical infrastructure protection challenges.

Challenge Description
National Water Act provides for protection of raw water This does not refer to the protection of raw water cyber critical infrastructure. Instead, it refers to the planning, monitoring and managing of water resources in a coordinated manner.

The Strategic Framework on Water Services of 2003 provides for protection of water assets
This does not refer to the cyber protection of water assets. Instead, it refers to the repair, maintenance, and rehabilitation of water systems. Table 4 indicates that the closest reference to some kind of protection is in the National Water Act, which in addition to the protection of raw water in South Africa, provides for the governance of raw water, including the development, consumption, management, and control of aquatic ecosystems [78]. The Strategic Framework on Water Services of 2003 also mentions protection of water assets albeit as it pertains to the repair, maintenance, and rehabilitation of water systems. Therefore, no provision for critical cyber and physical infrastructure protection is made in all the water and wastewater legislation and policies. A review of the existing international, national, and sector (water and wastewater) cybersecurity legislative and policy environments has been conducted in this section. The review identified the national and water and wastewater sector cybersecurity gaps and challenges. What is not clear thus far is how the water and wastewater sector interrelates with the national cybersecurity legislative and policy environment.

Systems Interrelationships
The previous sections discussed three interdependent cybersecurity systems, each with its own unique purpose. These were the international, national, and sector cybersecurity systems. The interdependent relationships between these dynamic systems as well as how they can interoperate effectively is illustrated in Figure 3 as derived from [26].
The arrows in Figure 3 represent cybersecurity information flow within and between the three interdependent systems. Clough [33] indicated that nation states should put in place domestic legislation that is conducive for international cooperation such as the Budapest Convention. Coleman [39] concurs with this and argues that collaborations such as the AU Convention on Cyber Security and Personal Data Protection provide a legal template that could be aligned with but also customised according to domestic legislation and policy requirements. This indicates that the dynamic relationships within and between the three systems are governed by legislation and government policy. While the international and national systems in Figure 3 have clear cybersecurity-related policies and/or legislation, no cybersecurity-related legislation and/or government policy is defined specifically for the water and wastewater sector. By utilising the systems thinking approach, the interrelationships between the water and wastewater sector (sector system  Figure 3) and national cybersecurity legislative and policy environment (national system in Figure 3) were examined further. The research methodology on how to achieve this is described in the next section. cybersecurity gaps and challenges. What is not clear thus far is how the water and wastewater sector interrelates with the national cybersecurity legislative and policy environment.

Systems Interrelationships
The previous sections discussed three interdependent cybersecurity systems, each with its own unique purpose. These were the international, national, and sector cybersecurity systems. The interdependent relationships between these dynamic systems as well as how they can interoperate effectively is illustrated in Figure 3 as derived from [26]. The arrows in Figure 3 represent cybersecurity information flow within and between the three interdependent systems. Clough [33] indicated that nation states should put in place domestic legislation that is conducive for international cooperation such as the Budapest Convention. Coleman [39] concurs with this and argues that collaborations such as the AU Convention on Cyber Security and Personal Data Protection provide a legal template that could be aligned with but also customised according to domestic legislation and policy requirements. This indicates that the dynamic relationships within and between the three systems are governed by legislation and government policy. While the international and national systems in Figure 3 have clear cybersecurity-related policies and/or legislation, no cybersecurity-related legislation and/or government policy is defined specifically for the water and wastewater sector. By utilising the systems thinking approach, the interrelationships between the water and wastewater sector (sector system in Figure 3) and national cybersecurity legislative and policy environment (national system in Figure 3) were examined further. The research methodology on how to achieve this is described in the next section.

Materials and Methods
The systems thinking approach [84,85] is employed to achieve the research aim of this study. The approach is deemed suitable as it helps examine dynamic patterns and

Materials and Methods
The systems thinking approach [84,85] is employed to achieve the research aim of this study. The approach is deemed suitable as it helps examine dynamic patterns and events by holistically focusing on the interrelationships between a system's parts rather than seeing the constituent parts as static, standalone, and unrelated elements [84,85]. It is an analysis tool to identify and understand how the parts interconnect within the entire system [86]. This is especially useful when considering the complex nature of government policy and the different parties involved in effecting legislation. In this study, a system is perceived as a group of interdependent elements assembled to create an emergent character or behaviour of the group as a whole [22,23,87,88]. As shown in Figure 4, the national cybersecurity strategy of South Africa is considered a system in this study, and its underlying structure comprises three main parts: (i) Function; (ii) Elements; and (iii) Interconnections.
Firstly, the stated function of a system is its purpose, which sets out how that system is expected to behave [87]. Altering the function of a system has the greatest impact on the entire system and may render it unrecognisable [84]. Secondly, the elements of a system are the most visible and are the actors in the system [87]. It is however acknowledged that some elements can be more important than others [84]. Changing system elements has the least impact on a system [84], provided that the function of the system remain unaltered [87]. Thirdly, interconnections are oftentimes harder to see but more critical in the system than elements [84,87]. They are the signals that enable one element of a system to respond to other elements through action or decision points [84]. Oftentimes, interconnections are not physical flows [84,87], but rather the flow of influences, energy, or information inside and outside the system as it strives towards a state of equilibrium [22,23]. The interconnections of a system's elements are configured in such a way as to generate their own characteristic or emergent behaviour, which may start to differ from the espoused or defined purpose [22,84,87]-which is why systems are firm and very difficult to change [89].
system [86]. This is especially useful when considering the complex nature of government policy and the different parties involved in effecting legislation. In this study, a system is perceived as a group of interdependent elements assembled to create an emergent character or behaviour of the group as a whole [22,23,87,88]. As shown in Figure 4, the national cybersecurity strategy of South Africa is considered a system in this study, and its underlying structure comprises three main parts: (i) Function; (ii) Elements; and (iii) Interconnections. Firstly, the stated function of a system is its purpose, which sets out how that system is expected to behave [87]. Altering the function of a system has the greatest impact on the entire system and may render it unrecognisable [84]. Secondly, the elements of a system are the most visible and are the actors in the system [87]. It is however acknowledged that some elements can be more important than others [84]. Changing system elements has the least impact on a system [84], provided that the function of the system remain unaltered [87]. Thirdly, interconnections are oftentimes harder to see but more critical in the system than elements [84,87]. They are the signals that enable one element of a system to respond to other elements through action or decision points [84]. Oftentimes, interconnections are not physical flows [84,87], but rather the flow of influences, energy, or information inside and outside the system as it strives towards a state of equilibrium [22,23]. The interconnections of a system's elements are configured in such a way as to generate their own characteristic or emergent behaviour, which may start to differ from the espoused or defined purpose [22,84,87]-which is why systems are firm and very difficult to change [89]. In addition to system elements/actors, interconnections and function, three more parts make up a system [84]: (i) Stocks, which are the snapshots or historical views of a system, showing the changing flows in the system; (ii) Flows, which are the inflow and outflow activities of a system impacting the levels of stock; and (iii) Feedback loops, which occur when a change-reinforcing or balancing loop [85]-in stock levels leads to In addition to system elements/actors, interconnections and function, three more parts make up a system [84]: (i) Stocks, which are the snapshots or historical views of a system, showing the changing flows in the system; (ii) Flows, which are the inflow and outflow activities of a system impacting the levels of stock; and (iii) Feedback loops, which occur when a change-reinforcing or balancing loop [85]-in stock levels leads to additional positive or negative changes [84,87,89,90]. However, these did not form the central aim of the study. To closely examine the interrelationships between the water and wastewater sector and national cybersecurity legislative and policy environment, the four steps in Figure 4 are sequentially operationalised.
Ultimately, the goal of a systems thinking approach is leverage-identifying where changes and concomitant actions in the underlying structure of a system can result in significant and lasting improvements [86]. In the next section, a review of the national and sector cybersecurity literature is conducted to identify the underlying structure of the national cybersecurity system. This should shed light on the key stakeholders and government policies and legislation required to realise significant and lasting improvements to national and, more specifically, water and wastewater sector, cybersecurity endeavours.

Results
In this study, South Africa's water and wastewater sector and the national cybersecurity legislative and policy environment were analysed. The analysis was conducted to contextualise the water and wastewater sector's cybersecurity responsibilities within the national cybersecurity legislative and policy environment and determine whether there is a need to propose any new legislation and/or policies, or amend existing ones, to address cybersecurity requirements of the sector. The findings are summarised in Table 5.
In Table 5, the "international cybersecurity system" means the international laws and stakeholders on fighting cybercrime, and the "national cybersecurity system" means the South African cybersecurity legislative and policy environment inclusive of key stakeholders. Similarly, the "water and wastewater sector as a system" means the water and wastewater legislative and policy environment inclusive of the sector's key stakeholders, and the "water and wastewater sector as a stakeholder" means the sector as one of the Sustainability 2021, 13, 291 16 of 33 key stakeholders within the national cybersecurity system. The findings in Table 5 are discussed in the next four sections.

Identify the National Cybersecurity System Function, Actors and Interconnections
The purpose of this analysis exercise was to identify key national cybersecurity stakeholders (actors) responsible for the implementation of the six key objectives of the national cybersecurity (function), as well as to identify legislation and policies (interconnections) governing the interrelationships among stakeholders. The function of the national cybersecurity strategy has already been defined in Section 2.2 as to "centralise coordination of cybersecurity activities, by facilitating the establishment of relevant structures, policy frameworks and strategies in support of cybersecurity in order to combat cybercrime, address national security imperatives and to enhance the information society and knowledge-based economy" [65] (p. 15). On the one hand, the national cybersecurity strategy function is implemented by domestic stakeholders such as the SSA, SAPS, and DCDT supported by foreign stakeholders such as the African Union, Interpol, and FIRST. The national cybersecurity stakeholders are the defined actors or elements of the national cybersecurity system.
On the other hand, six key pieces of legislation-such as the ECT Act, Cybercrimes Bill, and POPI Act-and one policy, the NCPF, were found to determine the interrelationships among the stakeholders in the national cybersecurity system. These are the interconnections of the national cybersecurity legislative and policy environment. As argued by Sutherland [38] and Detecon [37], the current coordination and management of the national cybersecurity programme is complex. To demonstrate how complex the current implementation of the national cybersecurity strategy is, a few gaps and challenges were identified in the national cybersecurity legislation and policy environment. These are summarised as follows: • Subsections 16.4(b) and 16.4(c) of the NCPF mandate the DCDT to establish the National Cybersecurity Advisory Council and Cybersecurity Hub, which in turn is tasked to encourage and facilitate the establishment of industry CSIRTs, whereas Chapter 12 of the ECT Act mandates the same government department to establish a Cyber Inspectorate unit and appoint cyber inspectors. Firstly, no Cyber Inspectorate unit has ever been established and no cyber inspectors were ever appointed to date. Secondly, except for the banking industry, which has SABRIC, there are few other industry CSIRTs, even those are not actively coordinated for information sharing and incidents recording in a national database. Lastly, the National Cybersecurity Advisory Council is non-existent or at least its activities, if any, are not visible.

•
The NCPF recognises and encourages cybersecurity education for technical skills development, user awareness campaigns, and research and development in Section 2.7 of the policy. However, there are no visible and coordinated nation-wide activities to address insufficient technical cybersecurity skills and user awareness campaigns in the country.

•
The CIPA provides for infrastructure resilience, albeit without explicitly stating whether this includes cyber resiliency. Moreover, the SAPS is yet to develop regulations to implement the Act. • Despite the existence of the different pieces of cybersecurity-related legislation and policies, there seems to be a lack of capacity and capability by law enforcement agencies in fighting cybercrimes in South Africa.

Identify the Water and Wastewater System Function, Actors and Interconnections
The purpose of this analysis exercise was to identify all the important stakeholders (actors) for the provision of quality water and wastewater services as well as cyber protection of the water infrastructure (function), which legislation and policies (interconnections) are responsible for the functions, and whether these delineate cybersecurity-related roles and responsibilities. On the one hand, the key stakeholders, such as the DWS, water boards and Trans-Caledon Tunnel Authority responsible for the provision of quality water and wastewater services, were identified in Section 2.3.1. On the other hand, pieces of legislation, such as the National Water Act, Water Services Act and Water Research Act, and policy, such as the National Water and Wastewater Master Plan, were identified in Section 2.3.2. These determine the interrelationships among the stakeholders in the water and wastewater sector for the provision of quality water and wastewater services. However, further analysis revealed that no cybersecurity-related roles and responsibilities are defined in the water and wastewater sector legislation and policies. This means that the water and wastewater sector is what SEBoK Editorial Board [88] refers to as an independent system (see sector system in Figure 3) comprised of its own components configured in such a way as to achieve its unique purpose within the national system.

Identify the Water and Wastewater System as an Actor in the National Cybersecurity System
The purpose of this analysis exercise was to identify which of the national cybersecurity stakeholders represent the water and wastewater sector. Analysis revealed that the Public sector CSIRTs in the 'OTHER ORGANS OF STATE' block in Figure 5 represents the water and wastewater sector as an actor or stakeholder within the bigger national cybersecurity system. Moreover, all national, provincial, and local government departments as well as state-owned entities are also represented by the public sector CSIRTs. As shown in Figure 5, the public sector CSIRTs have a direct interconnected relationship with the ECS-CSIRT located in the SSA.
According to Sutherland [38], the ECS-CSIRT is actually Electronic Communications Security (Pty) Ltd. or COMSEC Pty Ltd., a private enterprise established in 2002 and mandated by the SSA to ensure protection of critical electronic communications. Like many other public sector and industry CSIRTs, the water and wastewater sector CSIRT is yet to be established. Since no cybersecurity-related roles and responsibilities are defined in the water and wastewater legislative and policy environment, only one option is left: the national cybersecurity legislative and policy environment. To determine whether and how the existing national cybersecurity legislative and policy environment delineates the water and wastewater cybersecurity responsibilities, the interconnected relationships between the two systems were analysed.

Analyse Interrelations between the Water and Wastewater and National Cybersecurity Systems
The purpose of this analysis exercise was to determine if and whether the existing national cybersecurity legislation and government policies delineate water and wastewater cybersecurity role and responsibilities. It was found that the water and wastewater legislation and policies give no provision for the sector's critical cyber and physical infrastructure protection. Instead, analysis revealed that the cybersecurity roles and responsibilities to provide for the sector's critical cyber and physical infrastructure protection, and indeed those of other sectors, are drawn mainly from the NCPF [65], Cybercrimes Bill [69], CIPA [70], POPI Act [71], RICA [72], ECT Act [73], and PAIA [74]. For example, the NCPF states that the SSA shall, among other things, be required to "initiate and lead a process" [65] (p. 27) for the establishment of public sector CSIRTs while the Cybersecurity Hub at the DCDT should do the same with private sector CSIRTs and civil society stakeholders [65] (p. 18).

Identify the Water and Wastewater System as an Actor in the National Cybersecuri
The purpose of this analysis exercise was to identify which of the cybersecurity stakeholders represent the water and wastewater sector. Analysis that the Public sector CSIRTs in the 'OTHER ORGANS OF STATE' block in represents the water and wastewater sector as an actor or stakeholder within th national cybersecurity system. Moreover, all national, provincial, and local gov departments as well as state-owned entities are also represented by the pub CSIRTs. As shown in Figure 5, the public sector CSIRTs have a direct interc relationship with the ECS-CSIRT located in the SSA. According to Sutherland [38], the ECS-CSIRT is actually Electronic Commu Security (Pty) Ltd. or COMSEC Pty Ltd., a private enterprise established in mandated by the SSA to ensure protection of critical electronic communicatio many other public sector and industry CSIRTs, the water and wastewater sector yet to be established. Since no cybersecurity-related roles and responsibilities ar in the water and wastewater legislative and policy environment, only one optio the national cybersecurity legislative and policy environment. To determine whe how the existing national cybersecurity legislative and policy environment delin water and wastewater cybersecurity responsibilities, the interconnected rela between the two systems were analysed.

Analyse Interrelations between the Water and Wastewater and National Cybersecu Systems
The purpose of this analysis exercise was to determine if and whether the national cybersecurity legislation and government policies delineate wa wastewater cybersecurity role and responsibilities. It was found that the w wastewater legislation and policies give no provision for the sector's critical c physical infrastructure protection. Instead, analysis revealed that the cybersecu and responsibilities to provide for the sector's critical cyber and physical infra protection, and indeed those of other sectors, are drawn mainly from the NC Cybercrimes Bill [69], CIPA [70], POPI Act [71], RICA [72], ECT Act [73], and P For example, the NCPF states that the SSA shall, among other things, be req "initiate and lead a process" [65] (p. 27) for the establishment of public secto It has already been established in the previous section that the water and wastewater sector is represented by the public sector CSIRTs block in the national cybersecurity governance structure. The cybersecurity roles and responsibilities of sector CSIRTs are delineated in Section 6.3.6 of the NCPF and require, among others, that sector CSIRTs "establish national security standards and best practices for the sector in consultation with the Cybersecurity Centre (located in the Ministry of State Security) and the JCPS CRC, which are consistent with guidelines, standards and best practices developed in line with the NCPF" [65] (pp. [18][19]. Along with other defined roles, this role interconnects the water and wastewater sector as an actor with other stakeholders or actors/elements inside and outside the national cybersecurity system to achieve the nation's function or purpose of securing against cyberattacks. Additionally, cybercrimes and concomitant penalties from such cyberattacks are defined in the Cybercrimes Bill and ECT Act as supported by other mentioned key legislation and policies. These are the interconnections of the national cybersecurity and water and wastewater systems. Therefore, the water and wastewater system's cybersecurity purpose, stakeholders, and legislation and policies are only defined when the sector is an actor-public sector CSIRT-within the national cybersecurity system. The ramifications of these findings as they pertain to the aim of the study are therefore discussed in detail.

Discussion
The aim of this study was to contextualise the water and wastewater sector's cybersecurity responsibilities within the national cybersecurity legislative and policy environment. To achieve the aim, systems thinking was adopted to analyse the purpose or function of both the national cybersecurity and water and wastewater systems, stakeholders involved to achieve the functions, and stakeholder interrelation. The ramifications of the study findings are discussed under two headings: (i) National cybersecurity legislative and policy environment; and (ii) Water and wastewater legislative and policy environment.
National cybersecurity legislative and policy environment. The study findings indicate that the function of the national cybersecurity system is clearly defined in the NCPF. The purpose of the national cybersecurity strategy is therefore very clear. According to Meadows [84], altering the function of a system has the greatest impact on the entire system and may render it unrecognisable. This means that changing the purpose of the national cybersecurity strategy has the greatest impact on the entire national cybersecurity programme. The findings also indicated that the JCPS CRC was established to oversee the implementation of the national cybersecurity strategy by ensuring consistency with guidelines, standards and best practices developed in the NCPF. The JCPS CRC is the key stakeholder or element/actor in the national cybersecurity system. Although it is acknowledged that some key stakeholders can indeed be more important than others [84], systems thinking indicates that changing individual stakeholders should have the least impact on the national cybersecurity programme provided that the purpose and legislation and policies remain unaltered. This means that stakeholders implementing the national cybersecurity strategy, including individual members of the JCPS CRC, can be changed without having a noticeable impact on the overall purpose of the programme.
Furthermore, the findings indicated that the flow of information among and between the national cybersecurity stakeholders is governed by legislation and policies such as the Cybercrimes Bill, CIPA, ECT Act, NCPF, POPI Act, RICA, and PAIA. In terms of international cybersecurity cooperation, South Africa is yet to ratify the Budapest Convention of 2001 as of 10 November 2020 [35]. That leaves Interpol and extradition treaties between South Africa and other countries as the only available international cooperation mechanisms to fight cybercrimes perpetrated outside its jurisdiction. Systems thinking indicates that each legislation and/or policy interconnects stakeholders in such a way that it could generate its own characteristic or emergent behaviour, which may start to differ from the espoused or defined purpose of the national cybersecurity strategy. This means that amending or repealing cybersecurity-related legislation and government policy could have significant impact on the overall purpose and performance of the national cybersecurity programme. This is why it was important to dig deeper to understand the interconnected relationships among the stakeholders involved and the impact these relationships have on the overall purpose and performance of the national cybersecurity programme. What the findings show is that a seamless coordinated effort is required to implement the national cybersecurity strategy. The argument that government has a below par performance record when it comes to the implementation of policies involving several government stakeholders and requiring public-private partnerships [91] is not encouraging. It was also found that the no less that 37 different pieces of legislation and policies led to further implementation gaps and challenges. The ramifications of these gaps and challenges, which also impact on the water and wastewater sector's cybersecurity responsibilities, are fourfold.
Firstly, since the enactment of the ECT Act in 2002, the DCDT has failed to establish the Cyber Inspectorate unit and appoint cyber inspectors, failed to report any activities by the National Cybersecurity Advisory Council, if any, and progresses slowly to ensure the establishment of industry and sector CSIRTs as stipulated in the NCPF since it was gazetted in 2015. All these shortcomings point to a lack either of capacity or capability by the DCDT, or a combination of both.
Secondly, tasked to be the national structure dedicated to cybersecurity activities, including cybersecurity technical skills and user awareness campaigns and engagement with the private sector and civil society, the DCDT's Cybersecurity Hub is visibly absent in the coordination of these activities. As already alluded to by Detecon [37] and corroborated by Gcaza [92], cybersecurity awareness and education have proven to be effective in significantly reducing the risk of a security breach. This is because awareness and education prepare technical experts to put proactive safeguards in place, and ordinary end-users to be consciously alert. The case in point on the importance of cybersecurity awareness and education is the data breach at Experian South Africa, a credit records organisation, where a database containing personal details of approximately 24 million consumers and nearly 800,000 businesses was willingly handed over to a fraudster [93] as a result of a social engineering attack. Thus, the national government, and in particular the water and wastewater sector, should develop a strategy to embark on a coordinated effort to achieving the required sector cybersecurity skillset. This investment is fully supported and encouraged in Section 2.7 of the NCPF. This lack of visible and strategic coordination by the Cybersecurity Hub also points to a lack either of capacity or capability within the DCDT.
Thirdly, the regulations to promulgate the CIPA had not yet been gazetted by the SAPS at the time of writing. In terms of the transitional arrangements in the Act, Parliament must first approve the SAPS draft regulations. Until that happens, the Act is held in abeyance [94]. In this regard, it is not yet clear which national assets per sector, including the water and wastewater sector, will be identified and classified as national critical infrastructure. Perhaps when the CIPA regulations are gazetted, the roles, responsibilities, and accountability of different parties will be defined to also include cyber resilience. As argued by Mutemwa [66], a good cybersecurity strategy should also include cyber resilience in addition to cyber defence policies and capabilities. A cyber resilience strategy helps shift from a retroactive to a more proactive approach [95]. As matters currently stand, the CIPA merely promises to enable the protection and safeguarding of critical infrastructure to achieve resiliency. How that critical infrastructure resilience is going to be achieved with cooperation between government and the private sector remains unclear.
Lastly, the findings suggest a clear lack of capacity and capability by law enforcement agencies in fighting cybercrimes in the country. This might require a coordinated cybercrimes skills development collaboration programme with international stakeholders such as Interpol and similar others to help bridge the gaps in the short term. In addition to all the matters considered above relating to the national cybersecurity legislation and policy environment, there is another concern: It would appear that the national cybersecurity strategy is primarily more defensive [8], and thus retroactive, than offensive which requires proactiveness [96]. It is more passive and static than proactive. Under international laws, any sovereign state has the right to defend itself against adversarial actors [96]. As the national cybersecurity policy overarching both the DoD's Defence Review and Cyber Warfare Strategy, the NCPF does not explicitly state whether South Africa would execute cyber offence strategies in response to a cyberattack. Even in its delineation of the role and responsibilities of the DoD, the NCPF refers to the development of a "Cyber Defence Strategy, that is informed by the National Security Strategy of South Africa" [65] (p. 24). Defence (retroactive approach) seems to be our cybersecurity strategy as opposed to adopting an offensive (proactive approach) or a combination of both strategies.
In spite of these national cybersecurity challenges, the Cybercrimes Bill, CIPA, ECT Act, NCPF, POPI Act, RICA, and PAIA, together with other cybersecurity-relevant legislation and policies, are drafted in such a way as to address the cybersecurity requirements of the water and wastewater sector without the need to propose any new legislation and/or policies or amend existing ones. All the sector needs to do is to encourage member organisations to align their ICT policies and cybersecurity practices with the NCPF to address cyber risks and water-related cybersecurity implementation challenges such as those highlighted in Table 1.
Water and wastewater legislative and policy environment. The study findings indicate that the water and wastewater sector has two functions fulfilled through two different stakeholder responsibilities. The first function is that the water and wastewater sector is mandated to supply quality water and wastewater services to the nation. This function or purpose is achieved through the water and wastewater sector as an independent system comprised of its own stakeholders (system elements/actors)-such as DWS, water boards, and Trans-Caledon Tunnel Authority)-and legislation and policies (interconnections) -such as the National Water Act, Water Services Act, and National Water and Wastewater Master Plan. The second function is that the water and wastewater sector has national cybersecurity responsibilities. This function is achieved by the water and wastewater sector as a stakeholder-public sector CSIRT-in the bigger national cybersecurity system. The public sector CSIRT cybersecurity responsibilities of the water and wastewater sector are defined in Section 6.3.6 of the NCPF [65].
The findings also indicated that the public sector CSIRT will report to the national CSIRT or ECS-CSIRT in the SSA. It is not clear whether the ECS-CSIRT caters for both corporate IT and ICS cybersecurity services nor how, specifically, it helps the public sector CSIRTs as it claims on its website. The roles and responsibilities defined in the NCPF [65] (pp. [18][19] further require that the Cybersecurity Centre located in the SSA be consulted by public sector CSIRTs when establishing national security standards and best practices for their sectors. The question is, what is the relationship between the Cybersecurity Centre and ECS-CSIRT, both located in the SSA? Is COMSEC (Pty) Ltd. now the Cybersecurity Centre? Are they different? To reiterate Sutherland's [38] point, perhaps this is what contributes to the complex manner in which the national cybersecurity strategy of South Africa is being implemented. Nonetheless, it has already been proven that the existing national cybersecurity legislative and policy environment provides for the establishment of the water and wastewater sector-specific CSIRT without the need to propose any new laws or amend existing ones. However, this is based on the assumption that the DWS will host the CSIRT on behalf of the entire sector. Whether this is the best way to do it is a separate discussion. Alignment of the sector's ICT policies and cybersecurity practices with the NCPF is enough to establish a CSIRT that will be hosted at the DWS.
By understanding the dynamic nature of its interconnected relationships [23,85,97] among various stakeholders, the water and wastewater sector is therefore immediately able to develop its own cybersecurity governance framework and resilience strategy as illustrated in Figure 6. ICT policies and cybersecurity practices with the NCPF is enough to establish a CSIR that will be hosted at the DWS. By understanding the dynamic nature of its interconnected relationships [23,85,97 among various stakeholders, the water and wastewater sector is therefore immediatel able to develop its own cybersecurity governance framework and resilience strategy a illustrated in Figure 6. De Jong et al. [98] assert that outsiders usually offer creative and innovative polic inputs that can lead to a better understanding of societal challenges. This approach yield better policy decisions with more realistic judgements of the advantages an disadvantages of potential policy measures [98,99]. The water and wastewater secto De Jong et al. [98] assert that outsiders usually offer creative and innovative policy inputs that can lead to a better understanding of societal challenges. This approach yields better policy decisions with more realistic judgements of the advantages and disadvantages of potential policy measures [98,99]. The water and wastewater sector should therefore be as collaborative with "outsiders" such as the JCPS CRC, Cybersecurity Hub in the DCDT, and Cybersecurity Centre in the SSA and as representative (among its member organisations) as possible in order to attain, through better policy decisions, the desired level of sector cybersecurity resiliency against cyber threats and attacks. In this regard, policy recommendations are proposed as outlined in the next section.

Recommendations
The study has a few recommendations regarding the national cybersecurity legislation and policy environment and the water and wastewater sector's cybersecurity responsibilities within this legal context. Firstly, regarding the national cybersecurity legislation and policy environment, the following are recommended:

•
The National Cybersecurity Advisory Council, and/or Cybersecurity Hub, and/or Cyber Inspectorate unit should either be moved from the DCDT, or their operating models and mandates be reviewed, or a combination of both.

•
The Critical Infrastructure Protection Act should be amended to explicitly include "cyber" and/or "digital or information" infrastructure in its definitions of "infrastructure" and "critical infrastructure" terms.

•
To boost capacity and capability in fighting cybercrimes in the sort-term, South African law enforcement agencies may need to partner with international stakeholders such as Interpol and similar others to develop cybercrimes and digital forensics skills. For medium to long term solutions, the law enforcement agencies should recruit the best and brightest students with passion and a keen interest in cybercrimes and digital forensics from local universities.
Lastly, regarding the water and wastewater sector's cybersecurity responsibilities within the national cybersecurity legislation and policy environment, the following are recommended: • Establish a sector computer security incidents response team. Establish the national water CSIRT that will have specialist teams serving both the IT and ICS cybersecurity requirements to help formulate and implement the cybersecurity governance framework, resilience strategy, and education and awareness campaigns. Although the establishment of the CSIRT to be hosted at the DWS requires no development of new legislation and/or policies or amendments of existing ones, the authors recommend that a sector-specific agency be established. This would indeed require either the development of a new piece of legislation or amendment of the CIPA and probably the National Water Act. The rationale behind this recommendation is based on international best practices where it would appear that sector-specific agencies for each classified critical infrastructure sector are the best way to look after the cybersecurity requirements of a sector.

Conclusions
The national cybersecurity strategy is a system mainly comprising stakeholders from the justice, crime prevention, and security cluster of South Africa. However, industry, civil society, and other government entities such as the water and wastewater sector are recognised as important stakeholders in the national cybersecurity system. A systems thinking approach was employed to analyse the national cybersecurity and water and wastewater systems. Through the stated stakeholders (system elements/actors) and legislation and policies (system interconnections), the ultimate purpose (system function) of the national cybersecurity system was found to be the establishment of a conducive environment and the provision of guidelines, standards, and best-practices for key cybersecurity stakeholders in South Africa. The interconnected relationships among these key stakeholders were found to be determined largely by the Cybercrimes Bill, CIPA, ECT Act, NCPF, POPI Act, RICA and PAIA in particular, and other cybersecurity-relevant pieces of legislation and policies.
It is concluded that the water and wastewater sector can immediately address its cybersecurity requirements without the need to propose any new legislation and/or government policies or amend existing ones. The aim of the study has therefore been achieved. But the water and wastewater sector will need to identify where changes and concomitant actions in the underlying structure of the national cybersecurity system can result in significant and lasting improvements for the sector. This can only be achieved by establishing a sector CSIRT that should continuously monitor the changes in the underlying structure of the national cybersecurity programme. This is especially important as changing cybersecurityrelevant legislation and policies greatly impact the entire national cybersecurity system, including the water and wastewater sector's cybersecurity responsibilities.
Future research work could use systems thinking or system dynamics to analyse the impact of the national cybersecurity legislation and policies in South Africa since 2015.
Other research projects could explore the recommendations discussed above. Moreover, a review of how other countries deal with cybersecurity in the water and wastewater sector in contrast to South Africa should form part of future research works. After all, the exchange of international experiences is crucial in the advancement of cybersecurity practices. As the country embarks on a digital transformation strategy future research could look at related challenges in the water and wastewater sector. For example, noting that some municipalities have already embarked upon installing smart meters, legislation and policies governing security and privacy of smart water meters and other Internet of Things (smart) devices could be explored.  Institutional Review Board Statement: Not applicable for studies not involving humans or animals.

Informed Consent Statement:
Not applicable for studies not involving humans or animals.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A Analysis of the National Cybersecurity Policy Framework System
A literature review of the previous analysis work on the National Cybersecurity Policy Framework (NCPF) was conducted in this appendix. This looked at mainly the stakeholders involved, legislation and policies underpinning the national cybersecurity strategy, and challenges in the implementation of the NCPF. In the current configuration, the cybersecurity and cybercrime legal framework is spread among very different pieces of legislation. Aligning these would improve predictability and transparency of the policies.

•
There is a lack of technical cybersecurity skills in government to enable the Cybersecurity Hub to assume the role of a national CERT. Skills development must be prioritised by government in this regard. • A lack of user cybersecurity education and awareness in the general public exacerbates spoofing and phishing related cybercrimes as these are not generally associated with inadequate technical safeguards. • Implementation of a national cybersecurity programme requires sound expertise in several disciplines, and this is lacking in government. This includes commitment and guidance from the top echelons of government, availability and development of the required cybersecurity expert level, and continuous cybersecurity awareness campaigns for the general public.

Legislation and Policies (Interconnections)
Gaps or Identified Challenges [104] • NCPF • In South Africa, cybersecurity awareness initiatives are rolled out through a variety of independent and uncoordinated mechanisms. An integrated and coordinated approach would be effective.