In order to fend off increasing cyber challenges, NS is continuing its efforts to improve the cybersecurity of its IT (information technology) and OT (operational technology) systems. We are conducting company-wide risk analyses of IT and OT processes and of high-risk incidents. Based on a new cybersecurity roadmap, we took further technological risk-mitigating measures in 2022, such as a vulnerability scan and cloud security measures. We respond to current threats, such as ransomware and supply chain attacks. In addition, we invested in company-wide measures to raise cybersecurity awareness, continued our long-term investments in our fixed team of cybersecurity experts, and expanded that team.
Networks and Information Systems (Security) Act (WBNI)
In late 2021, NS was designated as a ‘provider of essential services’ under the Networks and Information Systems (Security) Act (WBNI). NS now ensures compliance with its duty of care and duty to report pursuant to the WBNI, based in part on the Cybersecurity Management System (CSMS). We use that same CSMS to provide our business customers with assurance regarding the measures we have taken. In late 2022, NS obtained its ISO 27001 information security certification for business service processes in connection with the NS Business Card.
Sector-wide information sharing
NS takes part in national and international initiatives to improve cybersecurity in the railway sector. 2022 saw the establishment of the ISAC (Information Sharing en Analysis Centre) for the Dutch railway system. NS, other businesses in its sector and the National Cyber Security Centre use the ISAC to share information about current threats and any lessons learnt.