Skip to website navigation Skip to article navigation Skip to content
My report 0
NS.nl

IT (including cyber)

Group risk

The risk of IT systems failing to meet operational and security requirements.

Development 2021

Measures are in place to increase control, but threats including cyber risks (including on the train) are now increasing as the threat landscape continues to grow.

Control measures

  • The most important critical systems in train logistics control have been replaced. We will largely replace the major operational legacy systems, including the travel information system and Data Warehouse systems, by mid-2022 and 2023. Business continuity agreements with suppliers have been tightened.

  • In order to mitigate the IT capacity shortage, external staff will be replaced by in-house staff where possible and junior staff will be trained internally to a higher level of knowledge. The transformation plan is being implemented, among other things, through Agile working with extra attention being paid to retaining technical talent.

  • Based on a roadmap, cybersecurity will be further strengthened, both in terms of process by means of governance and policy, and substantively in the case of IT and operational technology (OT) on and around the trains. This is becoming increasingly important given the growing cyber threat and the designation of NS as a provider of an essential service.

  • Cyber risk analyses were conducted for example on the operational fleet and ransomware vulnerability.

  • NS participated in the creation of the ‘roadmap Vitaal’, which was drawn up under the leadership of the Ministry of Infrastructure and Water Management, and NS drew up an implementation plan for the Networks and Information Systems (Security) Act (WBNI). This will further shape the protection of vital mobility processes.

  • Awareness campaign concerning secure working from home and extra alertness internal IT security monitoring.

  • A phishing campaign has started and will continue for years to come.

  • Every NS employee has been given a secure laptop that can be used to work from home.

  • Access management has been tightened.

  • As a result of incidents, improvement actions have been taken on, for example, the website www.ns.nl.

Add to My report
Print page