Operational Technology (OT), such as sluices, bridges, and traffic systems, is critical to the infrastructure managed by municipalities in the Netherlands. Ensuring the cybersecurity of these vital systems has become increasingly important. This blog delves into the results of a recent survey conducted among Chief Information Security Officers (CISOs) from various Dutch municipalities, examining their preparedness for the upcoming NIS2 directive.
Background
This research was initiated by the Association of Dutch Municipalities (VNG) in collaboration with the Information Security Service (IBD). The survey was designed and conducted by researchers from the Cybersecurity & Safety and Changing Role of Europe research groups at The Hague University of Applied Sciences. The aim was to gauge the current state of cybersecurity for OT in municipalities and assess their readiness for the NIS2 directive, which will impose stricter cybersecurity requirements starting in October 2024.
Methodology
The survey, distributed via Questback.com, targeted CISOs and related officials across all 342 Dutch municipalities. Conducted between January 25 and February 15, 2024, the survey saw responses from 65 participants, providing a significant snapshot of the current cybersecurity landscape in municipal OT management.
Key Findings
Municipalities manage a wide range of OT objects, including:
- Bridges
- Sluices
- Traffic control systems
- Wastewater installations
- Public lighting
On average, respondents reported overseeing five different types of OT objects, with some noting additional responsibilities such as managing parking meters and solar panel systems.
Management of OT Objects
A majority of respondents indicated that OT management is a mix of in-house and outsourced efforts. However, a notable 20% were unsure of the exact management setup, highlighting a significant gap in oversight and control.
Presence of Cybersecurity Policies
Less than a quarter of respondents confirmed the existence of specific cybersecurity policies for OT. Larger municipalities were more likely to have such policies in place compared to their smaller counterparts. This discrepancy underscores the need for uniform policy development and implementation across municipalities.
Integration of IT and OT Systems
About 60% of participants reported adequate separation between IT and OT systems, a crucial factor in minimizing cybersecurity risks. However, there remains uncertainty among nearly a quarter of respondents regarding the extent of this integration.
Awareness and Use of Security Standards
Only 39% of respondents were familiar with the CSIR (Cybersecurity Incident Response) framework for OT security, and an even smaller percentage actively used it. This indicates a need for increased awareness and training on existing security standards and frameworks.
Management and Board Involvement
A significant majority of respondents noted minimal involvement from municipal management and boards in OT cybersecurity. This lack of engagement at higher organizational levels is a major barrier to enhancing cybersecurity measures.
Concerns About Cyber Incidents
Despite limited active measures, there is considerable concern about potential cyber incidents. Respondents highlighted risks such as:
- Data breaches
- Control system hijacking
- Environmental hazards from compromised water management systems
Recommendations
Enhancing OT Security Measures
Given the survey results, it is clear that municipalities must prioritize the development and implementation of comprehensive cybersecurity policies for OT. This includes:
- Conducting thorough risk assessments
- Adopting recognized security frameworks like CSIR
- Ensuring the segregation of IT and OT systems
Increasing Management Engagement
To drive meaningful change, it is essential for municipal management and boards to be more involved in cybersecurity initiatives. Regular training and awareness programs can help bridge the current gap in understanding and engagement.
Supporting Smaller Municipalities
Smaller municipalities, in particular, require targeted support to meet the stringent requirements of the NIS2 directive. Collaborative efforts and resources from larger municipalities and central bodies like VNG can play a crucial role in this process.
Conclusion
The cybersecurity of municipal OT systems in the Netherlands is a critical concern that requires immediate and sustained attention. The upcoming NIS2 directive provides an opportunity to enhance these systems’ resilience against cyber threats. By addressing the gaps identified in this research, municipalities can better protect their vital infrastructure and ensure the safety and security of their residents.
For further details and comprehensive insights, access the full report from The Hague University of Applied Sciences.
What Cybersecurity.vision offers
For more information on how we can help your organization, visit our services offerings at Cybersecurity.vision.