UAB "KAUNO VANDENYS" RESILIENCE STRATEGY: KEY OBJECTIVES IN THE CONTEXT OF NATIONAL SECURITY (2025-2030)

I. INTRODUCTION: UAB "KAUNO VANDENYS" AS AN ELEMENT OF NATIONAL SECURITY

In the contemporary geopolitical environment, where the lines between conventional and hybrid warfare are blurring, the role of providers of vital services transcends traditional utility functions. UAB "KAUNO VANDENYS," as one of the largest water management companies in Lithuania, is no longer merely a service provider—it is an integral part of Lithuania's national security architecture. The uninterrupted and secure supply of drinking water and wastewater management is a strategic state interest, and any disruption to this activity could have catastrophic consequences for public health, social order, the economy, and the state's defense capabilities. This report provides a comprehensive analysis and strategic guidelines on the most important objectives that UAB " KAUNO VANDENYS " must pursue in the 2025–2030 period from the perspective of Lithuanian national security.

1.1. Legal and Strategic Basis for Critical Infrastructure Status

The status of UAB "KAUNO VANDENYS" as a critical infrastructure object is firmly established in the national legal system. The Law on the Protection of Critical Infrastructure of the Republic of Lithuania defines critical infrastructure objects as those whose "inactivity or disruption of activity could cause significant damage to national security."1 This legal basis transforms the company's activities from economic to strategic, directly related to the stability of the state.

Government resolutions have clearly assigned the water supply services sector to the category of critical sectors, and the Ministry of Environment is authorized to identify specific critical infrastructure objects within this sector.2 Given the size of UAB "KAUNO VANDENYS," the number of residents it serves, and its strategic importance to the Kaunas region, it is almost certain that the company and its main facilities (e.g., Vičiūnai and Petrašiūnai waterworks, Marvelė wastewater treatment plant) are included in the non-public "List of Specific Facilities and Assets Important for National Security" approved by Government Resolution No. 558.4

This status is not symbolic. It automatically activates a series of specific legal obligations that go beyond general best practice recommendations. For example, the company must notify the Commission for the Coordination of the Protection of Objects Important for National Security of intended transactions exceeding 10 percent of its annual revenue, as well as certain public procurements, regardless of their value, if national security requirements were imposed on suppliers.6 This means that the company's management must not only comply with these requirements but also actively seek official confirmation from the Ministry of Environment regarding its status and the specific obligations applicable to it. Ignorance or insufficient attention to these obligations is in itself a significant security gap. The first strategic step is to conduct a comprehensive legal audit and establish a formal dialogue with supervisory authorities to clearly define its legal status and the resulting responsibilities.

1.2. The New European Resilience Architecture: CER and NIS2 Directives

Lithuania's national legal framework is supplemented and substantially strengthened by the new European Union resilience enhancement system, formed by two fundamental directives: Directive (EU) 2022/2557 on the resilience of critical entities (CER Directive) and Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive).7 Both directives were to be transposed into national law by October 17, 2024, and their provisions apply from October 18, 2024.7

These directives mark a fundamental shift in the European approach to critical infrastructure security. The CER Directive expands the previously existing regulation, which covered only the energy and transport sectors, and directly included the drinking water supply and wastewater management sectors.7 It obliges member states to identify critical entities and requires these entities to conduct comprehensive risk assessments and take all necessary technical, security, and organizational measures to increase their physical resilience.7

Simultaneously, the NIS2 Directive drastically tightens cybersecurity requirements. It establishes a mandatory baseline level of security measures, which includes incident management, business continuity (including backups and disaster recovery), supply chain security, personnel training, and strict access control policies.9

The synergy of these two directives changes the very paradigm of security: a shift from the traditional "protection" model to a comprehensive "resilience" model. Previously, the main focus was on prevention—efforts to build the highest possible "wall" around an object to prevent malicious actors from entering. The new approach assumes that incidents—both accidental and intentional—are inevitable, and the wall will eventually be breached.

Therefore, the main goal becomes not only the ability to protect but also the ability to withstand a blow, adapt to disrupted conditions, and restore the provision of vital services as quickly as possible. The 2020-2024 strategic plan of UAB "KAUNO VANDENYS" 11 emphasizes operational efficiency and infrastructure renewal to achieve reliability, but it lacks clearly formulated, comprehensive resilience and business continuity objectives, which are now required by EU law. Investments in redundant systems, backup control centers, and regularly tested business continuity plans (BCPs) are no longer "good practice” they are becoming a fundamental legal obligation.

Table 1. Key Legal and Regulatory Obligations for UAB "KAUNO VANDENYS"

II. ANALYSIS OF THREATS TO LITHUANIA'S CRITICAL INFRASTRUCTURE

The operational security of UAB "KAUNO VANDENYS" depends on its ability to understand and neutralize a wide range of threats. These threats arise not only from technical failures or natural disasters but also from targeted, hostile actions by states and other actors. The assessments of Lithuanian intelligence agencies and the analysis of regional incidents paint a clear and alarming picture.

2.1. Hostile State Activities: Russia, Belarus, China

The annual national security threat assessment reports by the State Security Department (VSD) and the Second Investigation Department (AOTD) unequivocally identify Russia and its ally Belarus as the main sources of threats to Lithuania's security.13 The activities of these states' intelligence services are continuous and multifaceted, and critical infrastructure, including the water supply sector, is one of their priority targets. The main objectives of hostile activities are:

●     Information Gathering: Russian and Belarusian intelligence services actively seek to collect any information about Lithuania's strategic infrastructure objects, their operating principles, technologies, security systems, and, most importantly, vulnerabilities.13

●     Personnel Recruitment: A particular danger arises from individuals working at strategic facilities, especially those with access to sensitive information or control systems. Trips to Russia or Belarus create favorable conditions for the intelligence services of these countries to establish contact, collect compromising information, and attempt to recruit employees.13

●     Influence through Projects and Transactions: Hostile states may try to gain access to critical infrastructure not through a direct attack, but through business relationships.

Investors or suppliers with links to Russia, Belarus, or China can become tools in the hands of hostile states to influence project progress, install compromised equipment, or simply obtain confidential technical information.13

China's activities pose a different, but no less dangerous, threat. Cyber espionage groups associated with the Chinese regime regularly scan the networks of Lithuanian state institutions and strategic companies, looking for vulnerabilities.13 Their main goal is technological espionage to gain access to advanced Western technologies used in critical infrastructure, thereby increasing China's economic competitiveness and military modernization.13

In this context, the public procurement and contracting process of UAB "KAUNO VANDENYS" becomes not just an economic but a national security function. The legal acts obliging the reporting of certain transactions 6 and the warnings from intelligence agencies converge into one clear conclusion: a hostile state can achieve its goals not through an explosion, but through a purchase and sale agreement. The choice of a supplier, especially when purchasing complex technological equipment (e.g., SCADA system components, programmable logic controllers - PLCs), cannot be based solely on price and technical specifications. It is necessary to implement a comprehensive Supply Chain Risk Management (SCRM) process. This includes in-depth supplier verification, analysis of their links to hostile states, a requirement to provide detailed technical documentation, including a Software Bill of Materials (SBOM) 10, and, where possible, giving priority to suppliers from NATO and EU countries, even if it means higher costs.

2.2. Physical Threats and Sabotage Possibilities

The long-held belief that civilian infrastructure is untouchable has crumbled. Recent events in the Baltic Sea region—the "Nord Stream" pipeline explosions, damage to underwater communication and electricity cables between Finland, Estonia, and Sweden 15—have clearly demonstrated that physical sabotage is a real and current threat. These incidents were taken seriously not only by national governments but also by NATO, which launched a special patrol operation, "Baltic Sentry," to protect critical infrastructure in the Baltic Sea.17 Lithuania, Latvia, Estonia, and Poland signed a memorandum on strengthening cooperation in the protection of critical energy infrastructure.16

Water supply infrastructure is no exception. International experience shows that it is an attractive target. In the summer of 2024, break-ins at water treatment plants in Finland and Germany were recorded, raising concerns about possible sabotage.20 The tragic explosion of the Nova Kakhovka dam in Ukraine showed the catastrophic humanitarian and ecological consequences that a direct attack on a water infrastructure object can cause.21

In response to these threats, Lithuanian institutions are taking concrete actions. The Public Security Service (VST) has taken over the physical protection of strategic energy facilities 22, and the Ministry of Environment, in cooperation with VST experts, approved new, much stricter physical and operational security requirements for all nationally important water suppliers at the end of 2024.12

This means the end of the "security by obscurity" era, where one could hope that utility infrastructure would simply not interest anyone. The psychological barrier to attacking civilian objects has been crossed. Therefore, UAB "KAUNO VANDENYS" must transform its approach to physical security—moving from a standard safety model designed to protect against accidents and theft to a defensive security model planned with a targeted, well-organized, and technically equipped act of sabotage in mind. Every critical asset of the company—from remote pumping stations to central water treatment plants—must be re-evaluated through the lens of a potential attacker.

2.3. Hybrid Threats: Cyberattacks and Disinformation

Hybrid threats, which combine cyberattacks, information operations, and other non-military pressure tools, have become a primary instrument of hostile states. According to the National Cyber Security Centre (NCSC), attacks on critical sectors in the Baltic Sea region are constantly increasing. The number of distributed denial-of-service (DDoS) attacks, website defacement incidents, and unauthorized remote access incidents has particularly grown.23 These attacks are carried out by various actors: state-sponsored hacker groups, financially motivated cybercriminals, and ideological "hacktivists."23

The war in Ukraine has revealed a particularly dangerous trend: cyberattacks are often synchronized with physical strikes to cause maximum chaos and disrupt rescue efforts. It is important to note that the targets are not only obvious military or energy facilities but also "companies providing daily services to the population" 23, which directly includes the water management sector.

An equally dangerous component of a hybrid attack is disinformation. VSD reports emphasize that Russia constantly conducts aggressive information operations aimed at "instilling fear and panic in the societies of the region's countries, disrupting the work of state institutions, and promoting public dissatisfaction."13 A specialized report, "Russian Hybrid Threats to Europe's Health and Water Systems" 20, concludes that false reports on social media about alleged water contamination can cause the same short-term destructive impact (panic, distrust in government, economic losses) as a real physical attack.20

The most likely and potentially damaging scenario for UAB "KAUNO VANDENYS" is not a single physical or cyberattack, but a coordinated hybrid operation. For example, let's imagine a scenario:

1.       Initiation: A relatively simple cyberattack is carried out, e.g., a DDoS attack on the UAB "KAUNO VANDENYS" website, disrupting customers' ability to obtain information. Or a minor physical incident is staged, e.g., a simulated chemical spill near a waterworks protection zone.

2.       Escalation: Simultaneously, a pre-prepared disinformation campaign is launched through social networks ("Telegram," "Facebook") and anonymous news portals. Fake photos, AI-generated audio recordings, or video clips are distributed, claiming that Kaunas' water is poisoned, that the government is hiding the truth, and that the system is on the verge of collapse.

3.       Impact: The goal of the operation is not so much to cause long-term physical damage as to create mass panic, clog emergency service lines, paralyze city life, undermine trust in UAB "KAUNO VANDENYS" and the Kaunas City Municipality, and thus sow social chaos.

This scenario reveals a critical gap if the company's crisis management structures operate separately. The response plan cannot be divided into "IT," "physical security," and "communication" parts. A unified, integrated crisis management headquarters and pre-prepared and constantly tested plans for responding to hybrid attacks are necessary. The company's publicly available strategic documents 11 do not reflect this level of integrated, scenario-based planning.

Table 2. Threat Matrix: Actors, Motives, and Tactics

III. RESILIENCE ASSESSMENT: PHYSICAL, CYBER, AND ORGANIZATIONAL SECURITY

To formulate effective strategic objectives, it is necessary to conduct an objective assessment of the current resilience state of UAB "KAUNO VANDENYS," comparing it with legal requirements, known threats, and international best practices. This assessment must cover three key areas: physical security, cyber resilience, and organizational maturity.

3.1. Strengthening Physical Security: From the Perimeter to Critical Nodes

The assessment of physical security must be based on the new requirements approved by the Ministry of Environment and the VST in 2024 12 and internationally recognized principles of layered defense.25 These principles include four echelons of defense:

1.     Deterrence: Physical barriers (fences, gates), clear warning signs, good lighting, and visible video surveillance designed to deter a potential intruder.

2.    Detection: Technological measures (motion sensors, perimeter protection systems, video cameras with analytics functions) that detect intrusion attempts in real time.

3.       Delay: Reinforced structures, certified locks, additional barriers that would slow down an intruder's movement and provide more time for response forces.

4.    Response: A clear procedure for how security personnel or contracted services respond to an alarm, and formalized cooperation protocols with the police and VST.

The assessment must cover all critical facilities: waterworks, water treatment stations, main and auxiliary pumping stations, wastewater treatment plants, chemical storage facilities, and control centers.

Special attention must be paid to geographically dispersed and often unmanned facilities. The water supply system is inherently very decentralized, covering hundreds of kilometers of pipelines and numerous auxiliary facilities.27 A hostile actor will always look for the weakest link. Therefore, the probability of an attack on a remote, poorly protected pumping station or network node is much higher than on a well-guarded central headquarters or the Marvelė treatment plant. A comprehensive physical security audit must prioritize these dispersed assets. The strategy should not be to place a guard at every facility; instead, a cost-effective combination of technologies (sensors, smart cameras, drone patrols) and rapid response protocols should be implemented to ensure the security of the entire network, not just the central nodes.

3.2. Cyber Resilience: The Necessity of IT and OT Network Protection

The strategic plans of UAB "KAUNO VANDENYS" mention a general category of "information security measures" 11, but this hides a fundamental difference between the security of information technology (IT) and operational technology (OT). IT security (office computers, email, accounting systems) is important, but the existential threat to the company's core business comes from attacks on the OT network: the systems that directly control physical processes (pumps, valves, chemical dosing).

The priorities of IT and OT security differ fundamentally. In the IT world, confidentiality and integrity are paramount, while in the OT world, it is availability and safety.28 Applying standard IT security measures, such as active vulnerability scanning or antivirus programs, to sensitive OT systems can cause unforeseen disruptions or even physical damage.29 Therefore, it is necessary to create a separate, specialized OT cybersecurity program.

The assessment must be conducted according to international standards and guidelines, such as the NIST Cybersecurity Framework 31, CISA recommendations 33, and ENISA guidelines.9 It is necessary to evaluate these key OT security elements:

●     Network Segmentation: Is there a strict physical or logical separation of IT and OT networks? Is a demilitarized zone (OT-DMZ) created for secure data exchange? 35

●     Access Control: Is the "least privilege" principle applied? Is multi-factor authentication (MFA) used for access to critical systems? Is remote access (e.g., for suppliers) strictly controlled through specialized "jump servers"? 29

●     System Hardening: Have all default manufacturer passwords been changed? Are unnecessary ports and services on controllers and servers disabled? 35

●     Monitoring and Response: Is a passive intrusion detection system (IDS) that does not disrupt normal system operation installed on the OT network? Are event logs from critical OT devices centrally collected and analyzed? 10

The planned investment of €1–1.5 million in information security measures in the 2020-2024 plan of UAB "KAUNO VANDENYS" 11 is likely insufficient to create a mature OT security program from scratch. Investments are needed not only in technology but also in specialized competencies, which often differ from the skills of traditional IT security specialists.

3.3. Organizational Maturity and Business Continuity

Technologies and fences are worthless without a resilient organizational culture and well-prepared processes. This aspect of the assessment covers the human factor and the ability to operate during a crisis.

●     Personnel Reliability: It is necessary to assess whether the company has personnel vetting procedures, especially for employees who have administrator rights to access critical IT and OT systems. VSD warnings about the risks to employees traveling to hostile states must be integrated into personnel policy and security briefings.13

●    Business Continuity Planning (BCP): This is an area where, judging by public documents, UAB "KAUNO VANDENYS" may have the largest strategic gap. The company's reports talk about the efficiency of accident elimination 24, but this is a response to normal technical failures (reliability), not to a catastrophic, intentional incident (resilience). According to international guidelines (e.g., AWWA 38) and CER/NIS2 requirements, a mature BCP must include:

○     Identification of Mission-Essential Functions: A clear list of processes that must operate under any circumstances to avoid catastrophic consequences.

○     Business Continuity and Disaster Recovery Plans: Detailed, documented plans on how these functions will be maintained in the event of the loss of primary resources (e.g., the main control center, part of the personnel, electricity supply).

○   Alternate Work Sites: Designated and equipped backup facilities (e.g., an alternate control center) from which critical processes can be managed.

○   Succession and Delegation of Authority Schemes: Clear rules on who takes over decision-making authority if key managers are unavailable.

○     Regular Exercises and Testing: A BCP is ineffective if it sits on a shelf. It is necessary to regularly test the plans through various levels of exercises—from technical (e.g., restoring backups) to strategic (management exercises simulating a crisis).

The publicly available strategic and annual reports of the company 11 do not show that such comprehensive, hostile-action-oriented business continuity planning is in place. This is a fundamental discrepancy with the new security reality and legal regulation.

IV. STRATEGIC OBJECTIVES AND RECOMMENDATIONS (2025-2030)

Given the changes in the legal environment, the evolving threat landscape, and the resilience assessment conducted, UAB "KAUNO VANDENYS" should focus its efforts on four strategic objectives for the 2025–2030 period. These objectives are designed to transform the company's approach to security—from reactive and fragmented to proactive, integrated, and resilience-based.

4.1. Objective 1: Achieve Full Compliance with National and EU Legal Regulations

This objective is fundamental and urgent. Full compliance with legal acts is not only an obligation but also the foundation upon which all other security measures are built.

●     Recommended Actions:

1.       Compliance Audit: Immediately conduct a comprehensive legal audit to identify compliance gaps according to the requirements of the CER and NIS2 directives and related national laws and by-laws. Create a detailed action plan with deadlines and responsible people to address these gaps.7

2.       Appointment of Responsible Persons: Officially, by order of the company's director, appoint specific employees or departments responsible for the implementation and supervision of CER (physical resilience) and NIS2 (cybersecurity) requirements.

3.       Update and Coordinate Security Plans: Prepare new, detailed company physical and operational security plans that meet the latest requirements approved by the Ministry of Environment and the VST. Coordinate these plans with the responsible institutions as required.12

4.     Implement Mandatory Reporting Processes: Create and formalize in internal procedures clear processes for how and to whom significant cyber incidents (to the NCSC, according to NIS2 requirements) and transactions important for national security (to the relevant commission, according to the Law on the Protection of Objects Important for National Security) are reported.6

4.2. Objective 2: Create an Integrated Threat Monitoring and Response System

Separate physical security, IT, and OT security measures are insufficient to counter complex hybrid threats. It is necessary to create a unified system that allows for a comprehensive view and coordinated response.

●     Recommended Actions:

1.       Establish an OT Security Program: Create a dedicated OT security function, separate from general IT security. Invest in specialized OT security tools (e.g., passive network monitoring and anomaly detection systems) and enhance employee competencies in this area.

2.      Implement SIEM/SOC: Implement or use as a service a Security Information and Event Management (SIEM) system that centrally collects and correlates event logs from IT, OT, and physical security systems (e.g., access control, perimeter protection). This would allow for the real-time detection of signs of complex attacks.

3.       Formalized Cooperation: Sign official cooperation and threat information exchange protocols with the NCSC, VST, VSD, and the police. Actively participate in national and sectoral cybersecurity exercises organized by the NCSC and the Regional Cyber Defence Centre.16

4.       Test Integrated Response Plans: Prepare and regularly test (at least annually) response plans for specific hybrid threat scenarios (e.g., a coordinated cyberattack and disinformation campaign). Involve not only technical personnel but also management and communication specialists in the exercises.20

4.3. Objective 3: Optimize Security Investments, Prioritizing Resilience

Security investments should be viewed not as expenses but as strategic investments in business continuity. It is necessary to review the investment planning process, integrating resilience criteria.

●     Recommended Actions:

1.    Review of Investment Plan: Review the current and future investment plans 11, integrating mandatory physical and cybersecurity requirements into every infrastructure modernization project (e.g., network reconstruction, pumping station upgrades).

2.       Priority Investments: Give the highest priority to investments that increase resilience: OT network segmentation, physical "hardening" of critical facilities, installation of autonomous power sources at the most important water supply and wastewater management nodes, and setting up a backup control center.

3.       Supply Chain Risk Management (SCRM): Create and implement a formalized SCRM program for technology and service procurements. This must include supplier reliability assessment, requirements for equipment security and transparency, and contractual conditions obliging suppliers to report security incidents.

4.    Regular Audits: Budget for regular (at least every 2 years) security audits and penetration testing conducted by independent third parties, covering both IT and OT environments.

Table 3. Recommended Security Investment Priorities (2025-2030)

4.4. Objective 4: Foster a Comprehensive Resilience Culture

Resilience is not just a matter of technology or procedures—it is a mindset and culture for the entire organization. Every employee, from the CEO to the pipeline repairman, must understand their role in ensuring security.

●     Recommended Actions:

1.      Continuous Training: Create and implement a mandatory, ongoing security training program. It must be tailored to job roles: for managers—strategic threats and crisis management; for IT/OT personnel—technical threats and defense methods; for all employees—recognizing social engineering, phishing attacks, and procedures for reporting suspicious incidents.25

2.    Exercise Calendar: Prepare and approve an annual calendar of exercises and simulations, which should include:

a.     Technical exercises: e.g., testing backup restoration, switching to backup power sources.

b.     Functional exercises: e.g., the actions of a specific department (dispatch center, IT department) in response to a cyber incident.

c.     Strategic table-top exercises: Management team exercises simulating complex crises (e.g., a hybrid attack) to test decision-making processes and communication.

3.   Crisis Communication Plans: Prepare detailed internal and external crisis communication plans. These plans must include pre-prepared message templates, clear communication channels, and a strategy to combat disinformation and false rumors in real time.20

4.       Dialogue with the Shareholder: Initiate a dialogue with the main shareholder—the Kaunas City Municipality—regarding the update of the "letter of expectations".43 The new letter of expectations must include specific, measurable national security and resilience enhancement objectives, thus ensuring political support and adequate resource allocation to achieve these goals.

V. CONCLUSIONS: A LONG-TERM RESILIENCE STRATEGY

The operating environment of UAB "KAUNO VANDENYS" has fundamentally changed over the past few years. Aggressive Russian policy, the ongoing war in Ukraine, and the increasing frequency of hybrid attacks against the critical infrastructure of Western countries demand a fundamental shift in the company's strategic thinking—a transition from operational efficiency and reliability to strategic resilience.

The analysis presented in this report shows that UAB "KAUNO VANDENYS," as an object of national security importance, faces complex and realistic threats, including physical sabotage, sophisticated cyberattacks, and coordinated disinformation campaigns. In response to these threats, systematic and long-term actions are necessary.

Security is no longer a one-time project or the function of a single department. It must become a continuous process, integrated into all aspects of the company's activities, from strategic planning and investment to daily operations and personnel training. Success will depend on the management's ability to demonstrate leadership, ensure sustainable financing, and create an organizational culture where every employee understands their responsibility for protecting a vital service.

The presented strategic objectives—to achieve full legal compliance, create an integrated threat management system, optimize investments in resilience, and foster a comprehensive security culture—form a coherent action plan for the next five years. Their implementation will not only protect the assets and operations of UAB "KAUNO VANDENYS" but also make a significant contribution to strengthening the national security of Kaunas city and all of Lithuania. Ensuring resilience is not an expense but a necessary investment in the uninterrupted supply of the source of life—water—and a stable future for the state.

Sources:

1.       PATVIRTINTA Lietuvos Respublikos Vyriausybės nutarimu Nr. https://e-seimas.lrs.lt/rs/lasupplement/TAP/0369c1a1805811e89188e16a6495e98c/226a6c628c1211e8aa33fe8f0fea665f/format/ISO_PDF/

2.       dėl ypatingos svarbos informacinės infrastruktūros identifikavimo metodikos patvirtinimo  https://e-seimas.lrs.lt/rs/legalact/TAP/28402860023e11e6bf4ee4a6d3cdb874/

3.       Dėl Ypatingos svarbos informacinės infrastruktūros identifikavimo metodikos patvirtinimo https://www.infolex.lt/ta/365749

4.       558 Dėl Konkrečių nacionaliniam saugumui užtikrinti svarbių https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/769809866d6511e89a0fd2d617326139?jfwid=mmceolfao

5.       Dėl Konkrečių nacionaliniam saugumui užtikrinti svarbių įrenginių ir turto sąrašo patvirtinimo https://www.infolex.lt/ta/483592

6.       Lietuvos Respublikos nacionaliniam saugumui užtikrinti svarbių objektų apsaugos įstatymo Nr. IX-1132 12, 13 ir 19 straipsnių pakeitimo įstatymas - e-TAR https://www.e-tar.lt/portal/ru/legalActPrint?documentId=60428000aa7111ec8d9390588bf2de65

7.       Ypatingos svarbos subjektų atsparumo didinimas | EUR-Lex https://eur-lex.europa.eu/LT/legal-content/summary/making-critical-entities-more-resilient.html

8.       EP patvirtino ypatingos svarbos infrastruktūros apsaugos taisykles | Naujienos | Europos Parlamentas https://www.europarl.europa.eu/news/lt/press-room/20221118IPR55705/ep-patvirtino-ypatingos-svarbos-infrastrukturos-apsaugos-taisykles

9.       ENISA publishes technical guidance to strengthen NIS2 cybersecurity risk management https://industrialcyber.co/threats-attacks/enisa-publishes-technical-guidance-to-strengthen-nis2-cybersecurity-risk-management/

10.    NIS 2 and Cybersecurity for OT Operations in the Water Industry - HMS Networks https://media.hms-networks.com/image/upload/v1708430018/Documents/Whitepapers/NIS2_and_Cybersecurity_for_OT_Operations_in_Water_Industry_EN.pdf

11.    UŽDAROSIOS AKCINĖS BENDROVĖS „KAUNO VANDENYS“ 2020 https://www.kaunovandenys.lt/SiteAssets/Strateginis_planas_2020-2024(%20aktuali%20redakcija%20galioja%20nuo%202021m.%20spalio%204%20d.).pdf

12.    Stiprinama vandens tiekėjų infrastruktūros apsauga - Aplinkos ministerija https://am.lrv.lt/lt/naujienos/stiprinama-vandens-tiekeju-infrastrukturos-apsauga/

13.    GRĖSMIŲ NACIONALINIAM SAUGUMUI VERTINIMAS - VSD.lt https://www.vsd.lt/wp-content/uploads/2024/03/GR-2024-02-15-LT-1-1.pdf

14.    Grėsmių nacionaliniam saugumui vertinimas - Lietuvos Respublikos valstybės saugumo departamentas https://www.vsd.lt/archyvas-gresmu-vertinimo-ataskaitos/

15.    Vyriausybė patvirtino KAM ir VRM inicijuotą algoritmą dėl reagavimo į kabelių pažeidimus Baltijos jūroje | LR Krašto apsaugos ministerija https://kam.lt/vyriausybe-patvirtino-kam-ir-vrm-inicijuota-algoritma-del-reagavimo-i-kabeliu-pazeidimus-baltijos-juroje/

16.    Baltijos šalys ir Lenkija susitarė stiprinti kritinės energetinės infrastruktūros apsaugą - LRT https://www.lrt.lt/naujienos/verslas/4/2591666/baltijos-salys-ir-lenkija-susitare-stiprinti-kritines-energetines-infrastrukturos-apsauga

17.    Baltijos jūroje pradėjo patruliuoti Karinių jūrų pajėgų laivai | lnk.lt https://lnk.lt/straipsniai/Politika/baltijos-juroje-pradejo-patruliuoti-kariniu-juru-pajegu-laivai/294781

18.    Baltijos šalys ir Lenkija susitarė stiprinti kritinės energetinės infrastruktūros apsaugą https://enmin.lrv.lt/lt/naujienos/baltijos-salys-ir-lenkija-susitare-stiprinti-kritines-energetines-infrastrukturos-apsauga/

19.    Baltijos šalys ir Lenkija sutarė didinti kritinės energetinės infrastruktūros apsaugą | tv3.lt https://www.tv3.lt/naujiena/verslas/baltijos-salys-ir-lenkija-sutare-didinti-kritines-energetines-infrastrukturos-apsauga-n1429016

20.    Russian Hybrid Threats to Europe's Health and Water Systems https://e-arc.ro/wp-content/uploads/2024/08/Russian-Hybrid-Threats-to-Europes-Health-and-Water-Systems.pdf

21.    Use Case of Water Reservoir Protection as a Critical Infrastructure Element in Slovakia Using a Quantitative Approach - MDPI https://www.mdpi.com/2073-4441/15/15/2818

22.    Baltijos teisėsaugos ir ryšių pareigūnų forumas: kolektyvinis atsakas į kylančias grėsmes, https://vstarnyba.lrv.lt/lt/naujienos/baltijos-teisesaugos-ir-rysiu-pareigunu-forumas-kolektyvinis-atsakas-i-kylancias-gresmes

23.    Baltijos jūros regiono šalyse dažnėja į kritinę infrastruktūrą ... - Kam.lt  https://kam.lt/baltijos-juros-regiono-salyse-dazneja-i-kritine-infrastruktura-nutaikytos-kibernetines-atakos/

24.    UAB „KAUNO VANDENYS“ 2024 m. Vadovybės ataskaita UAB „KAUNO VANDENYS” https://www.kaunas.lt/wp-content/uploads/sites/13/2025/04/2024-m.-vadovybes-ataskaita-2.pdf

25.    Guide to Perimeter Security for Water Utilities - Senstar https://senstar.com/senstarpedia/water-security/

26.    Physical security of water/wastewater infrastructure: Planning and equipment selection https://www.researchgate.net/publication/319370837_Physical_security_of_waterwastewater_infrastructure_Planning_and_equipment_selection

27.    PATVIRTINTA Uždarosios akcinės bendrovės „KAUNO VANDENYS“ generalinio direktoriaus 2024 m. gegužės 27 d. įsakymu Nr. https://www.kaunovandenys.lt/wp-content/uploads/2024/06/Kauno-vandenys_RAS-aprasas_2023.pdf

28.    Better protection of SCADA systems is needed in Europe, ENISA warns https://www.smart-energy.com/regional-news/europe-uk/better-protection-of-scada-systems-is-needed-in-europe-enisa-warns/

29.    Overcoming SCADA integration cybersecurity challenges - Control Engineering https://www.controleng.com/overcoming-scada-integration-cybersecurity-challenges/

30.    A Review of Cybersecurity Incidents in the Water Sector – arXiv  https://arxiv.org/pdf/2001.11144

31.    Cybersecurity & Guidance - American Water Works Association https://www.awwa.org/resource/cybersecurity-guidance/

32.    NIST Begins Cybersecurity Project for Water and Wastewater Operations https://www.nist.gov/news-events/news/2024/04/nist-begins-cybersecurity-project-water-and-wastewater-operations

33.    Top Cyber Actions for Securing Water Systems - CISA https://www.cisa.gov/resources-tools/resources/top-cyber-actions-securing-water-systems

34.    New CISA and EPA guidelines aim to shield water and wastewater systems from cyber threats https://industrialcyber.co/utilities-energy-power-water-waste/new-cisa-and-epa-guidelines-aim-to-shield-water-and-wastewater-systems-from-cyber-threats/

35.    SCADA Security Essentials: Your Need-to-Know Guide https://www.ssh.com/academy/operational-technology/scada-security-essentials-need-to-know-guide

36.    10 Practical Steps to Reduce SCADA Cybersecurity Risk https://www.nacwa.org/news-publications/news-detail/2024/10/17/10-practical-steps-to-reduce-scada-cybersecurity-risk

37.    Increase cybersecurity for our most precious resource: Water - Schneider Electric Blog https://blog.se.com/industry/water-and-wastewater/2025/01/02/increase-cybersecurity-for-our-most-precious-resource-water/

38.    Business Continuity - American Water Works Association https://www.awwa.org/resource/business-continuity/

39.    Business Continuity Plans for Water Utilities https://www.waterrf.org/serve-file/SWMC17-Smith.pdf

40.    Veiklą oficialiai pradeda Regioninis kibernetinės gynybos centras https://kam.lt/veikla-oficialiai-pradeda-regioninis-kibernetines-gynybos-centras/

41.    Water Sector Cybersecurity Risk Management Guidance for Small Systems - American Water Works Association https://www.awwa.org/wp-content/uploads/WaterSectorCybersecurityRiskMgmt.pdf?%3Futm_source=IDG

42.    EU agency releases Water Security Plan to counter hostile actions on water supply systems https://industrialcyber.co/news/eu-agency-releases-water-security-plan-to-counter-hostile-actions-on-water-supply-systems/

43.    Informacija apie UAB „KAUNO VANDENYS“ 2024 m. veiklą ir rezultatus https://www.kaunas.lt/wp-content/uploads/sites/13/2025/04/Informacija-apie-UAB-%E2%80%9EKauno-vandenys-2024-m.-veikla-ir-rezultatus.pdf