The information security of cyber physical systems, often referred to as operational technology (OT), is not only a growing concern for companies that use OT for their daily activities but for society in general. The impact of cyber-incidents on companies often takes on new dimensions when availability is critical, as is commonly the case with OT - well-illustrated in the 2017 case of shipping company Maersk. The same incident also had a societal aspect, leaving many people in Kiev stranded as public transport, the airport and petrol stations were impacted. For companies such as the Nederlandse Spoorwegen (NS), where OT contains a physical safety component, the impacts on society and the company can be even greater. The safety of our passengers is paramount therefore we must ask ourselves if OT systems are compromising our safety levels. Within this context, the NS has been working on maturing information security for OT, specifically for rolling stock (train) cyber security. Due to new developments, such as the introduction of the European train management system (ERTMS) and the NIS directive, the need to address OT security is continually increasing within a high impact area. This growing need provides new challenges for the NS information security team. While most of the team members are experienced information security professionals, their experience in the OT domain is still limited. As a result, they have to mature information security for the OT domain while exploring and mastering this new domain. This presentation will describe differences between information security for IT and information security for OT. These not only stem from differences in the specific information assets to be addressed, but more importantly from differences in culture, background of decision makers and governance. Nevertheless, there are more similarities than differences. Making optimal use of the similarities while respecting the differences is the key to success. These topics will be addressed in a lively duo presentation in which one presenter will argue that information security for OT is just like information security for IT and the other presenter will argue for the opposite. Towards the end of the presentation the audience will be invited to join this discussion.


time: 12:20

Other sessions:

Not Facing the Adversary: Cyber Security Without Armed Forces

Improving Connection between Private Investigations and LEA/Judicial Reaction

EU (Cyber) Roadmap for the Future

Hacking 'Privacy by Design'