Sjoerd van Agtmael is working on a five-year contract with Rijkswaterstaat (RWS) because of his expertise in cybersecurity. As a key employee at FMI ImProvia, the Consultant Engineer ensures optimal digital security of infrastructure objects. “We also test the employees who work with the objects.”
Sjoerd, who works for the Smart Industry Solutions business unit, was seconded to ÆVO at the end of 2021. FMI ImProvia’s sister company had just won a tender from RWS. This involved the management and maintenance of tunnel technical installations. The specialist in smart bridges, tunnels, and locks was faced with outdated installations at both objects. “Therefore, we had to take a step forward on a technical level to further improve safety,” says Sjoerd about his work.
Crucial component
Cybersecurity is a crucial component of this. It requires a great deal of management due to the rapidly changing times and increasingly strict requirements and regulations. For example, Sjoerd and his team are identifying the weak(er) points. Part of that inventory is examining the cybersecurity requirements. Sjoerd: “The system must be configured in such a way that we have an excellent package that we can maintain. Rijkswaterstaat has a guideline for this, which is based on strict standards. But we also set the bar very high technically and organizationally in-house to be able to collaborate with Rijkswaterstaat securely.” This makes sense, because it concerns critical infrastructure. Failure or disruption of the object must be prevented at all costs. “If traffic is disrupted due to a malfunction, it causes traffic jams and generates unwanted publicity,” explains the Consultant Engineer.
Leading the Way
Aware of the need for good digital security, Rijkswaterstaat wants to be at the forefront of cybersecurity. “In the past, it wasn’t considered essential. Now the OT world (the industrial side of IT, ed.) recognizes that it’s necessary because industrial environments are being attacked. You hear that more and more often.” To verify the safety and effectiveness of the established procedures, ÆVO and RWS conduct an annual audit. Risk and impact analyses are also regularly performed to monitor system security. “Is the chain still secure, or has a technical adjustment created an unforeseen risk?” Essentially, it’s about mitigating those risks as much as possible, he says. “To do this, we discuss with RWS which risks we’ve identified. We want to technically safeguard them so that they no longer pose a risk. If the technology in the object doesn’t allow for this, we’ll address it procedurally.”
A Very Detailed Plan
ÆVO is developing a very detailed plan of technical and procedural measures for RWS to approve. This includes matters such as: how do you register people accessing the object, who has access when, and to which system? The plan also includes: the method of monitoring the objects, the connection to the object, and document and backup management. And: what is linked to what? “You really need to know what the landscape (the architecture of the object, ed.) looks like.” Regarding the cybersecurity of RWS objects, Sjoerd knows things are already well-organized. ÆVO goes beyond just the hardware. “We also test the awareness of the employees who work with the objects. For example, we send a fake phishing email a few times a year and hold a cybersecurity session at least once a year. We do this to raise awareness of the dangers surrounding cybersecurity. We want to keep people alert.”
Ultimately, it all comes down to risk management. If this is optimally implemented for both humans and machines, Sjoerd knows that infrastructure objects are maximally secured digitally.
