Industry News

Dutch Critical OT Systems Vulnerable to Hacks

23 July 2023

Critical services in the Netherlands could be a potential target of ransomware and hacktivist attackers with ties to Russia as a means to sow large-scale disruptions in the country, according to a Dutch National Cyber Security Center warning this week.

Although the Russian invasion of Ukraine did not immediately result in a high level of attacks as anticipated, the Dutch NCSC said the country continues to experience a high volume of attacks compared to previous years.

These attacks include an influx of ransomware, hacktivist, espionage activities from groups with political affiliations to Russia. Though these incidents have not led to major disruptions, the agency warned the Netherlands is likely to face "dynamic, complex and broader threat," especially against critical infrastructure, in the coming years.

The country's operational technology networks, including industrial automation and control systems, are particularly at risk because they tend to be "insecure by design," the agency warned.

Information on vulnerabilities affecting OT systems is limited, and organizations face huge costs to replace older OT systems. Patching new software is also a concern for organizations since the patches could disrupt the interoperability of the operating systems. These issues make the sector vulnerable to hackers, the agency warned.

"OT has become increasingly intertwined with IT in recent years," the agency said. "This offers attackers more opportunities to gain access to an OT network via compromised IT systems, increases the attack surface and offers attackers more opportunities to compromise other operational systems."

The agency said that the proliferation of cybercrime-as-a-service models could make it easier for hackers, including ransomware operators, to adopt more wiper malware variants such as Industroyer2 and Pipedream to target OT networks in the Netherlands.

Such a scenario would be challenging to the nation as it lacks adequate insight into the risks posed by hackers. The problem could be compounded by the unwillingness of insurers to cover cyber incidents.

"Cybersecurity insurance in the Netherlands is limited in size and is in its infancy," the agency said. "Exclusion from the damage of many types of cyber incidents can ultimately lead to financially healthy organizations succumbing to the damage they suffer from cyber incidents."

To reduce risk, the agency urged organizations to improve digital resilience through network segmentation and perform vulnerability management as recommended in the Dutch Cyber Security Strategy 2022-2028, and in the proposed European Cyber Resilience Act.