An administrative view of cybersecurity at Dutch Railways

Hotze Zijlstra

5 April 2022

Cyber threats can occur at Dutch Railways (Nederlandse Spoorwegen or NS) in various places: trains, stations, workplaces, data centers, websites, mobile apps, and the chain. According to CISO Dimitri van Zantvliet, the key is mapping the risks and responding to the threat landscape.

Analyzing these risks is not done once but periodically in a structural manner and, if desired, in the interim for acute threats. These are then mitigated through an overarching NS cybersecurity roadmap. Progress on this is reported periodically to the Executive Board.

Van Zantvliet: “As a services provider essential to the country, NS constantly gauges at board level which risks it wants to avoid, and where a certain ‘risk appetite’ is opportune. Cybersecurity is one of several risk areas and the youngest shoot on this trunk.”

Opportunity x Impact

Cybersecurity at NS is a topic that is addressed risk-based. Risks such as ransomware, vulnerable applications, insider threats, and so on are always translated into the probability X impact on service provision and social role. From that perspective, we also look at any weak links in the supply chain and with partners – for example, in the case of digital assets in the cloud or the case of chain mobility.

Then, the translation is made to specific security solutions for systems, infrastructure, connected devices, laptops, and other end-points based on all common and relevant security frameworks.