The new WRR report states that the Netherlands is insufficiently prepared to deal with digital incidents and their impact. There are multitudes of preventative measures taken by organizations to avoid incidents. But what about taking measures when something actually occurs?
The reality is that the overwhelming majority of organizations are simply insufficiently prepared to handle incidents when they occur. This is due to: a) the way in which knowledge is shared, b) the goals which are set on the basis of best practices and vision, c) the manner in which we cooperate digitally. Extensive plans have been developed for when crises happen in the physical domain (natural disasters etc.) extensive testing and practice exercises are carried out; the ultimate objective of organizations is to be back in business as quickly as possible.
Organizations also share knowledge and boast quality certifications. In the digital world, however, there seems to be a completely different focus. With the integration of IT and OT, urgent action is needed. The physical and digital domains are simply no longer separated. In the OT work field, the focus is mostly on safety and especially on accessibility. For physical safety, organizations adhere to a multitude of set regulations, implemented and enforced by the state or by the company headquarters. These kinds of regulations are often not yet set for digital security.
Recently a security officer in a factory stated that a certain exploit alert could be written off as a 'false positive'. Luckily, after further explanation, an investigation was carried out. The security officer was managed to prioritize uninterrupted operations and efficiency over security. Additionally, the individual lacked knowledge about the potential calamity that an ‘exploit alert’ is warning against. This gives a good illustration of why the majority of companies are still unprepared digitally: knowledge (lack thereof) and objectives. Despite all the examples, Maersk, Fedex, etc., many organizations are still not well prepared to adequately protect themselves in case a cyber incident happens.
Security providers regularly call attention to the warning signs. However, as long as organizations dodge the crisis but do see the monetary investment flow out of their corporate account, the urgency is lost. The WRR report also states that the emphasis is on individual organizations instead of networks and chains - and makes a distinction, indicating that vital information does not always end up in the right place. "Partly because of this, the knowledge collected and shared is too limited.” This statement is followed by a number of elements that contribute to cyber-resilience, such as learning from and reflecting on incidents, the (non-) cooperation of insurers on compensating loss due to cyber incidents and regulating responsibility by means of national measures and international cooperation and management.
In its recommendations, the WRR addresses: the intrinsic need to share knowledge, to provide insight into the aforementioned business landscape and the formation of a Dutch or European cyber pool which would make data on incidents available for learning and prevention purposes. Nixu fully endorses these elements. It is crucial that entities in the industry take joint responsibility across public and private sectors as well as academia.
In this context, Nixu would recommend a framework such as the NIST for ICS. We are therefore a proponent of developing preventive measures, as well as detection, response and recovery. Nixu is a great advocate for testing 'forensic readiness' and cyber-physical exercises in a public-private context.
Each specialist has their own unique knowledge about risks, processes, systems and best practices. By combining our expertise, without simultaneously pursuing a commercial goal, we can be better prepared for digital incidents and their impact within and outside Dutch borders.
For this reason, Nixu has started the OT/ICS Center of Excellence (CoE). Within the CoE, we connect our experience from Nixu with stakeholders and share our knowledge about IT/OT convergence through three elements:
- Joint training and knowledge sharing
- Multiple ICS workshops focusing on compliance, risk and measures
- Whitepapers and other content
- Technology research, for example focusing on vulnerabilities in and security of IoT applications
- Tactical and strategic research, aimed, for example, at (the applicability of) best practices on cyber security in IT/OT
- Commercial services:
- As a listed company, we also offer commercial services at the cutting edge of IT/OT. From advice to training to assessments to detection and recovery. Nixu operates vendor-agnostically and completely transparent.
We call on organizations to engage in greater cooperation, regardless of their own interests, in order to help Dutch businesses to become more digitally resilient.
About Suzanne Rijnbergen
Suzanne Rijnbergen has led the Nixu Cyber Defense Center in the Benelux since July 2019, where she combines a strong technical background and business knowledge to the benefit of Nixu clients.
She originally started working in cybersecurity in 2006, when she focused on digital forensics, security audits, penetration testing and security training. She specializes in business development, strategic & operational management and M&A in both IT and OT/ICS security. Suzanne holds a Bachelor degree in Commercial Economics, several Bachelor certifications in Technical Computer Science, a European CIPP/e certification for privacy and a Master in Business Administration from Nyenrode University.