Dutch critical infrastructure at risk despite high leadership confidence

Critical infrastructure exposed 

Recent investigations have unveiled alarming vulnerabilities in critical infrastructure in the Netherlands. An investigation by RTL News revealed that tens of thousands of traffic lights across the Netherlands are susceptible to remote hacking. This situation cannot be fully remedied until at least 2030. The vulnerability was discovered by 29-year-old ethical hacker Alwin Peppels, who found a way to manipulate traffic lights remotely through their connection systems with emergency services. 

“This is a dangerous vulnerability that exposes a fundamental problem in our digitised society – many of our systems were built in an era when the digital world wasn’t hostile,” said cyber security expert Dave Maasland at ESET in the RTL News report. “In these times of geopolitical unrest and tension, these systems suddenly surface. This time it’s traffic lights; next time, it could be a lock or dyke.” 

The rising number of attacks in the Netherlands calls for organisations across all sectors to examine their cyber security solutions and prioritise cyber security critically

The traffic light vulnerability exemplifies a broader issue within critical infrastructure security – one that KnowBe4 has extensively documented in its Global infrastructure report 2024. Martin Krämer, security awareness advocate at KnowBe4, emphasised the scale of the threat: “The Global infrastructure report 2024 paints a disturbing picture, with over 420 million attacks on critical infrastructure registered between January 2023 and January 2024 – averaging 13 attacks per second – a 30% increase from the previous year.” 

These findings align with Check Point Software Technologies’ latest statistics for the third quarter of 2024. According to Check Point’s research, Dutch organisations faced an average of 865 weekly cyber attacks – a staggering 69% increase. The healthcare sector proved particularly vulnerable, experiencing an average of 2,881 attacks weekly, followed by the consultancy sector, with 1,542 weekly attacks, and government/military institutions, with 1,000 attacks per organisation per week. 

The attack vectors are diverse. Check Point’s analysis revealed that 61% of all vulnerabilities in the Netherlands involve “information disclosure”, potentially exposing sensitive data to unauthorised users. Most malicious files (58%) are transmitted via web channels, while 42% arrive by email, demonstrating the multifaceted nature of these threats. 

KnowBe4’s research highlights a concerning trend – the increasing use of cyber attacks as a weapon by geopolitical adversaries such as Russia and China to cause societal disruption. “These cyber attacks are not just about gathering information but aim to gain control over systems to cause disruption,” said Krämer. “In light of these threats, it’s crucial that the Netherlands and other countries continue investing in digital innovation and its security.” 

When examining specific concerns, the contrast between leadership confidence and operational reality becomes even more pronounced. The Kyndryl report reveals that while 94% of Dutch executives prioritise technological modernisation, 54% of business-critical IT infrastructure is either outdated or approaching obsolescence, increasing vulnerability and creating modernisation obstacles. 

Beyond the previously mentioned cyber security concerns, Dutch business leaders face additional operational challenges. The skills gap presents a significant hurdle, with 67% of leaders worried about skill shortages, while just 37% believe their systems can effectively respond to this challenge. 

Building cyber resilience 

KnowBe4’s Krämer emphasises the need for a comprehensive approach. “Besides contributing to technical solutions, cultivating a strong security culture within organisations managing critical infrastructure plays a key role. Regular security training and awareness programmes can help increase resilience against cyber attacks,” he said.

Combining technological and human-focused security measures, this holistic approach is essential for improving overall cyber resilience and protecting critical infrastructure against evolving threats. 

Cultivating a strong security culture within organisations managing critical infrastructure plays a key role. Regular security training and awareness programmes can help increase resilience against cyber attacks

Organisations are taking steps to address these challenges, with the Kyndryl report highlighting that Dutch business leaders are focusing on three main areas: investing in employee training and development programmes (48%); upgrading IT infrastructure (40%); and strengthening regulatory compliance (33%). 

“The rising number of attacks in the Netherlands calls for organisations across all sectors to examine their cyber security solutions and prioritise cyber security critically,” warned Zahier Madhar, security engineer expert at Check Point. “The impact of a cyber attack can be incredibly far-reaching and causes more serious disruptions to daily operations than ever before.” 

As the Netherlands continues to grapple with these challenges, the gap between perceived security and actual vulnerability needs to be addressed urgently. The traffic light vulnerability, while concerning, represents just one of many potential weak points in the nation’s critical infrastructure. From water management systems and energy networks to transportation and healthcare, the increasing digitisation of vital services creates new attack surfaces for malicious actors.  

With cyber threats evolving and intensifying at an unprecedented rate – as evidenced by Check Point’s reporting of a 69% increase in attacks – the confidence of Dutch business leaders must be matched by concrete action to strengthen critical infrastructure security.