Security target

The threat of terrorism and cybercrime are among the emerging risks against which Veolia must protect itself on a daily basis.
A closer look at the actions implemented by the Group to ensure the security of its own and its clients’ facilities.

The threat of terrorism and cybercrime are among the emerging risks against which Veolia must protect itself on a daily basis.
A closer look at the actions implemented by the Group to ensure the security of its own and its clients’ facilities.

As an operator of essential services, the safety of employees, consumers and facilities is a priority for Veolia. For this reason, the Group created a Security division in 2013. “It was a decision made by the CEO, Antoine Frérot, who wanted to make security one of the Group’s key values,” states Jean-Louis Fiamenghi, the former head of the elite French police unit RAID, and now Veolia’s Security Director. The priority given to security within the Group was reinforced even further after the attacks committed in France in 2015 and 2016.

Risk management

Jean-Louis Fiamenghi, Veolia's Security Director

We are putting in place a plan designed to warn us of cyber attacks, along with protective measures.
Above all, risks must be prioritized. The first concern relates to members of staff working in relatively unsafe countries. Following the attacks in Karachi (Pakistan) in 2002, which caused the death of eleven employees from the Naval Construction Division (NCD), measures have been taken by many companies to strengthen their teams’ safety. This applies not only during working hours, but also in the wider context of their mission, at the hotel or even during their leisure time.
To ensure the security of missions by Veolia’s employees and expatriates, the Group’s Security division notably carries out risk mapping on a country-by-country basis, in collaboration with the French Ministry of Foreign Affairs. For Veolia, over thirty countries have thus been identified as at-risk areas, threatened by terrorism, delinquency or public order troubles, especially in the event of unstable political regimes.
The Group works in close concertation with the French embassies’ security attachés. “We have our own security plan, linked to that of the French embassy, which concerns all listed nationals,” states Jean-Louis Fiamenghi. “But not all of our employees are French, hence this internal plan.” If the situation deteriorates, for example during an attempted coup, as was the case in Burkina Faso in 2015, employees are assembled at predetermined sites to best organize their evacuation, always in liaison with the embassy.

Constant checks

Veolia also implements measures to protect essential services, namely drinking water production and delivery. This particularly involves securing sites by means of extremely strict access control procedures, as well as continuously controlling the quality of the water and protecting IT systems. Incidentally, guaranteeing the security of essential services will become compulsory as of 2018 for operators such as Veolia and European States (see boxed text).
In France, the Group regularly takes part in prefectural safety exercises to check the responsiveness of the company and the authorities in the event of a terrorist attack. Accordingly, a simulation of an attack on the Paris water system was conducted in 2015 ahead of COP 21. Sensors placed in facilities immediately detected the intrusion. Once the pollutant injection site was identified, the RAID police unit performed a drill simulating an anti-terrorist operation.


Kapta sensor

A sensor capable of measuring water quality

“Kapta” for real-time action

To combat both accidental pollution and terrorist acts targeting water networks, Endetec – Veolia’s subsidiary specializing in environmental monitoring – has developed a sensor known as “Kapta” (cf. interview with Cyrille Lemoine). It has the advantage of detecting virtually all of the key water quality parameters, whether this concerns chlorine concentration, conductivity, temperature or pressure. “These parameters form a sort of water quality fingerprint,” states Cyrille Lemoine, Endetec’s Vice-President. “For example, a drop in pressure signifies valve movements, whereas chlorine is the prime indicator of contamination.” Kapta is extremely easy to use. It resembles a screw as wide as a €2 coin that is attached to the conduit pipe saddle. However, this sensor is only one link in the network security chain. The information that it measures is automatically sent to a data analysis and processing algorithm making it possible to spot abnormal events and identify their origin.
“When we know that the danger is heightened, for example during a major event such as the Olympic Games, we need simply increase the sensitivity of the algorithms and accelerate the data processing speed,” explains Cyrille Lemoine. “The frequency of analysis increases from the routine 2 ½ hours to every half or even quarter of an hour, but the system remains the same. We guarantee everyday safety, which we can switch to security surveillance, while being certain that our system is always operational.” The next step is marketing a complementary probe measuring turbidity and organic matter, the final two key parameters of water quality.

“NIS Directive”

Europe is looking to improve the security of essential services
The European Union is obliging Member States and operators of essential services to take measures to ensure the security of water, transport and energy networks.

In the European Area, each State is required to comply with the “Network and Information Security” (NIS) directive to the letter to organize the security of their essential services. Intended to “ensure a high common level of network and information security across the Union,” it was approved on December 18, 2015, and must be transposed into national legislation before the second quarter of 2018.
This directive sets out the security rules for operators of essential services: drinking water, energy and transport providers, banks and financial markets, and digital communication infrastructure. Broadly speaking, the directive particularly encourages them to take the appropriate technical measures to manage risk, audit the effectiveness of the security policies implemented, and meet the requirements of the competent national authorities. To this end, operators must inform the latter of any serious incidents affecting a high number of people over a long period or affecting a wide area.
In addition to their obligation to define strategic objectives along with control and regulatory measures, Member States must create a competent national authority to implement the NIS directive. They will also be required to cooperate on these security questions.

To find out more:
the NIS directive on ANSSI’s website: