Speakers

Jasper Nagtegaal is the Director of the Digital Resilience Department within the Dutch Authority for Digital Infrastructure (RDI). He studied Law and Governance at the University of Groningen. In recent years, Jasper has worked as a management team member and project manager at the RDI, responsible for establishing supervision in the field of digital regulation.

Previously, Jasper worked at a regional safety authority and before that as a legal advisor and legal controller. He began his career as a consultant and researcher at the legal and public administration consultancy Pro Facto, where he conducted various studies for the WODC and Audit Offices.

Within and beyond the RDI, Jasper oversees supervision in the areas of Telecom and NIS(2) legislation, eIDAS regulation, and the Digital Government Act, as well as safeguarding the European Cybersecurity Certification framework.

Michel van Eeten is a Professor of Cybersecurity at TU Delft. He researches the interplay between technical choices and economic incentives in cybersecurity. His team analyzes large-scale datasets on vulnerabilities and incidents in IT infrastructure to understand how market players manage security risks. Based on their findings, they have advised various ministries, the European Commission, the International Telecommunication Union, and the OECD.

Session: From Sprawl to Resilience: Connecting IT and OT in Organizations
All sectors are going digital. As a result, many people within companies and governments have suddenly become de facto IT administrators—even though it’s not in their job description and they weren’t trained for it. You could call it uncontrolled growth or digital transformation. Our standard IT governance is under strain in this new reality.

IT and OT (IACS) are becoming increasingly similar from a technical perspective, yet they remain separate worlds organizationally. How do we bridge that gap? If everyone has become an IT administrator, who is ultimately responsible?

Through a few practical examples, we will explore ways to strengthen the resilience of public and private organizations in the wake of digital transformation.

Irene Rompa studied psychology at Vrije Universiteit Amsterdam. Her passion for sustainability took her to the United States after graduating in 2011, where she led the international expansion of the Dutch company Dopper from San Francisco. After returning to the Netherlands in 2015, she held various roles in the Dutch tech ecosystem, including leading accelerators, facilitating the international expansion of Dutch startups, and organizing major innovation events. Until the end of 2022, she was Head of Communications at Quantum Delta NL, a public-private partnership scaling up the Dutch quantum technology ecosystem. In 2023, she returned to psychology. Irene is a mediator and volunteers at the OLVG West hospital in Amsterdam, alongside her work as a conference moderator.

Ruud has been active in industrial automation for over 25 years across various sectors. Since 2001, he has been involved in initiatives to enhance the resilience of the industry. His motto is: "Security is collaboration." In this session, he shares his experiences with industrial risks and pragmatic approaches to addressing them. A short impression can be found via #OTsecurityJourney.

Session: The biggest security risk for the industry is false security. "This isn't my responsibility, is it?"
What can we learn from companies with experience in critical infrastructure? What have they fundamentally changed to get their cybersecurity in order for their industrial systems? Recent research has been conducted on how commercial industry companies are preparing for NIS2, and what the key factors are in why it sometimes succeeds and sometimes doesn't. During the presentation, you will receive guidance on what to pay attention to, how effective risk management and measures should look, and how you, as an organization, can avoid false security.

Sebastiaan has been working for Rijkswaterstaat since 2019. Initially as a security architect and since 2023 as a Senior Cybersecurity Advisor for both IT and OT. Prior to that, Sebastiaan spent over 10 years working as an IT Project Manager and Information Security Manager for a drinking water company, gaining extensive experience with critical infrastructure. In addition to his advisory role, Sebastiaan leads the ATHENA project, an EU project co-financed by the European Union. In a consortium with various partners from different EU countries, training modules are being developed for people working with critical infrastructure in the water sector. The development of these training modules is scientifically based, and through this, we are also generating knowledge in the field of learning with innovative technologies in the world of cybersecurity.

Session: ATHENA - Cyber resilience through engineer focused training
The ATHENA project is part of the Digital Europe Programme and is aimed at developing training modules for OT (Operational Technology) personnel in the water sector, as well as raising risk awareness. Its goal is to better protect critical infrastructure in the water sector against cyber threats. In the presentation, Sebastiaan will guide you through the development of ATHENA and how OT personnel can apply better risk management.

An experienced IT/OT security professional with a proven track record in various roles such as Principal OT Security Consultant, CISO, and Global IT/OT Security Manager. Specializing in leading OT security improvement initiatives, designing robust OT security architectures, and developing and implementing ISMS (Information Security Management Systems) in various industrial environments.

Session: Risk Management in OT: Control the Threats, Protect the Operation
This presentation covers risk assessment methodologies applied to different OT environments. We will examine how high-level, detailed, and security-focused risk assessments are implemented and how tools such as bowtie, threat modeling, and security levels can be utilized. Additionally, we will discuss the value of ISO-27001 and IEC-62443 certifications as benchmarks for cybersecurity in industrial systems, and how they help minimize threats and ensure operational continuity.

Marijn van Schoote studied Computer Engineering and Business Information Technology in Twente. He started his career at Deloitte and is now the Managing Director of FERM and a pioneer working with major port operators to further develop and implement FERM’s strong foundation in other seaports. Additionally, he serves as the CISO for the Port of Rotterdam.

Session: The National Seaports: Together on Course to Strengthen Digital Resilience
The Port of Rotterdam, along with other major Dutch seaports, forms a crucial link in the Dutch economy. Not only does the unavailability of critical port processes harm our national economy and security, but it also affects many countries within the European Union (EU) that depend on our ports. With the increasing digitalization of the ports, it is essential to protect the digital infrastructure against threats, including cybercrime, ransomware, and cyberattacks with a geopolitical background. The consequences of cyber incidents in the port can be significant: financial damage, disruption of the transport of essential goods, halt of energy transport, and even severe accidents involving chemicals. Since 2016, the Port of Rotterdam has taken the lead in raising awareness about cybersecurity within the Port Industrial Complex through the Port Cyber Resilience Program (FERM) in collaboration with partners. Since 2021, FERM has been a non-profit foundation providing services to its participants. In this session, we will reflect on 10 years of cyber resilience in the Port of Rotterdam, share the lessons learned, and take you through how we aim to keep the Dutch seaports resilient in the future.

(IPCS is a member of the IACS coalition)
Marcel is a senior cybersecurity specialist with more than 35 years of experience in operational technology (OT). Throughout his career, he has held various roles, from operational to C-level, in vital sectors such as oil & gas, defense, drinking water and wastewater treatment, process industry, and food industry. With his experience, Marcel brings creativity, structure, and innovation to help organizations become more resilient to digital incidents. He is the founder of Hudson Cybertec, vice-chairman/spokesperson of the Industrial Platform Cyber Security (IPCS), and currently serves as an advisor to various (international) organizations in both the private and public sectors.

Session: Making Public-Private Partnerships a Success
Cybersecurity in the industrial sector is complex and unique. The impact of OT system failures is enormous, and recovery processes are often lengthy. To minimize digital incidents and stay one step ahead of cybercriminals, sharing knowledge and experiences, as well as collaboration within the sector, is crucial.

This need was recognized by stakeholders and specialists, leading to the establishment of the Industrial Platform Cyber Security (IPCS) in 2014. IPCS is an active community of professionals with a common goal: to strengthen the cybersecurity of industrial automation and control systems to enhance the safety of our critical infrastructure. Knowledge sharing and collaboration are at the core of the platform. The community has grown to include more than 40 experts with a proven track record in OT cybersecurity. They meet at least twice a year during inspiring events. Additionally, there are various working groups that meet regularly and stay in contact through the platform.

(IPCS is a member of the IACS coalition)
Johan Assies has been active in the IT and OT sectors since 1997. For over 23 years, he worked at a manufacturing company, where he eventually took responsibility for both the IT and OT environments. In this role, OT security became increasingly important. Since 2021, Johan has been working as an OT Security Consultant at Routz, where he supports various clients daily with a wide range of OT security issues. His client base includes both the critical sector and industry. Additionally, he is an expert on the IEC 62443 standard, an international standard for OT security. Johan joined the IPCS shortly after its establishment in 2015 and has been the chairman of the platform since 2018.

Session: Making Public-Private Partnerships a Success
Cybersecurity in the industrial sector is complex and unique. The impact of OT system failures is enormous, and recovery processes are often lengthy. To minimize digital incidents and stay one step ahead of cybercriminals, sharing knowledge and experiences, as well as collaboration within the sector, is crucial.

This need was recognized by stakeholders and specialists, leading to the establishment of the Industrial Platform Cyber Security (IPCS) in 2014. IPCS is an active community of professionals with a common goal: to strengthen the cybersecurity of industrial automation and control systems to enhance the safety of our critical infrastructure. Knowledge sharing and collaboration are at the core of the platform. The community has grown to include more than 40 experts with a proven track record in OT cybersecurity. They meet at least twice a year during inspiring events. Additionally, there are various working groups that meet regularly and stay in contact through the platform.

Ingrid Romijn is the CEO and one of the co-founders of Q*Bird, a startup founded in 2022 from QuTech with a mission to provide quantum networking equipment for the current and future quantum internet. She holds a PhD in physics and is passionate about using technology to solve real societal challenges. Ingrid has previously worked at TU Delft and QuTech as program manager and division coordinator of the quantum internet division. Prior to that, she was a researcher, project lead, and program manager in solar (PV) technology at TNO.

In 2019, Ingrid was part of the team in creating and writing the Dutch National Agenda for Quantum Technology. From 2020 to 2022, she worked for the Quantum Delta Foundation as program manager to help shape the National Quantum Network (CAT-2) program.

As a member of the Steering Board for Women in Quantum Development (WIQD), Ingrid strives to create an inclusive and diverse ecosystem for quantum technology in the Netherlands.

Session: Protecting critical infrastructure against the quantum threat
In our increasingly digitally connected world, protecting our data communication and digital infrastructure is more important than ever. But how can we leverage quantum technology for this purpose? Quantum Security sounds like a trendy and modern term, but for many, it remains something abstract. What does it actually entail? What are the latest developments? Should we be worried? And most importantly: how can we prepare for this technology of the future? Ingrid Romijn, co-founder and CEO of Q*Bird, helps answer these questions. Q*Bird is an innovative tech company based in Delft that focuses on super-secure communication, grounded in the laws of nature. With their current technology, they protect digital infrastructure, and in the future, they aim to build quantum networks using the same techniques, connecting quantum computers and sensors.

With a background in electronics and control systems engineering, he has been working with operational technology since 1997. Since 2006, during the early years, he has focused on OT Cybersecurity, with most of his years spent working on various projects internally at Shell. Later, he worked for Batenburg Magion, where he was active with different clients in electricity generation, petrochemicals, pharmaceuticals, food industry, drinking water, and maritime sectors.

Session: Lessons learned from years of experience in cybersecurity in operational environments
IT professionals and OT professionals don’t always understand each other, but they are crucial to each other’s success. Through specific examples, the differences between IT and OT are explained, and instances are shown where IT has underestimated OT or vice versa. Additionally, OT security often has a physical safety component that must not be overlooked.

Joseph's passion for information security is the central theme of his academic and professional career. As a mathematics student, he sought out specific courses in this field and chose a related topic for his master's thesis. After working in other IT sectors, he joined Siemens' security practice in 2001. Since 2011, he has been working at NS (Nederlandse Spoorwegen). Currently, he serves as the manager of Cyber Governance within the NS Cybersecurity department, focusing on collaboration in cybersecurity within the railway sector, the implementation of the NIS Directive, and the organization's approach to cybersecurity. Joseph is the chairman of the Dutch Rail ISAC and the CER Expert Group on Cyber Security.

Session: Rail Cybersecurity: Lessons Learned in the International Railway Chain
In the railway sector, we are currently making significant strides in cybersecurity. At the European level, real progress is being made in standardization to create an open market and make international connections easier. This is not being done from the top down, but through strong collaboration between carriers, infrastructure managers, and suppliers. We are using our lessons learned to create a safer, more effective, and efficient railway system in the coming years. On a technical level, we have made significant advancements by introducing a security appliance on the train. This has given us better control over the train’s network, enabling us to detect incidents faster and respond more effectively.

Technology and security at the intersection of IT/OT have been two key themes throughout Erwin's career. His education in Electrical Engineering (HTS) and later a master's degree in Security in Information Technology reflect this. After more than 15 years working at a network operator as a security manager, officer, and architect, focusing on areas such as smart meters, data centers, ICS/SCADA, and the OT SOC, he joined NS in 2022 as Security Officer for Train Digitization. In this role, he works on the security of systems on and around the train. His focus is not only on the technology itself but also on the processes required to effectively implement that technology. He actively shares this knowledge in European working groups and at conferences like this one.

Session: Rail Cybersecurity: Lessons Learned in the International Railway Chain
In the railway sector, we are currently making significant strides in cybersecurity. At the European level, real progress is being made in standardization to create an open market and make international connections easier. This is not being done from the top down, but through strong collaboration between carriers, infrastructure managers, and suppliers. We are using our lessons learned to create a safer, more effective, and efficient railway system in the coming years. On a technical level, we have made significant advancements by introducing a security appliance on the train. This has given us better control over the train’s network, enabling us to detect incidents faster and respond more effectively.

In 2024, Emma Plak obtained her Master's degree in Global Criminology from Utrecht University. Her thesis, titled Threats to Operational Security: Protect or Neglect, is a qualitative study on digital security and responsibility within the industry. From a global criminology perspective, Emma Plak bridges the gap between people and technology, uncovering cybersecurity vulnerabilities. Since December 2024, Emma has been working as a Digital Security Advisor at the Dutch State Supervision of Mines. During her session with Ruud Welschen, she will speak from her former role at Siemens.

Session: The biggest security risk for the industry is false security. "This isn't my responsibility, is it?"
What can we learn from companies with experience in critical infrastructure? What have they fundamentally changed to get their cybersecurity in order for their industrial systems? Recent research has been conducted on how commercial industry companies are preparing for NIS2, and what the key factors are in why it sometimes succeeds and sometimes doesn't. During the presentation, you will receive guidance on what to pay attention to, how effective risk management and measures should look, and how you, as an organization, can avoid false security.

Jens Cordt studied computer science and started to work at BSI in 2007. Since 2012 he is working in the department for industrial automation and control systems. His major tasks are collect best practices for OT security and raise awareness on this topic. One special focus beside vulnerability management is security for safety.

Session: Exploring the BSI ecosystem focusing on network monitoring and vulnerability management
The presentation will give a brief overview of the BSI's international cooperation in the field of OT security. The focus will be on the presentation and activities relating to the Common Security Advisory Framework (CSAF) and the monitoring of OT networks using the open source tool MALCOLM. CSAF enables the automated procurement and processing of security advisories. It is therefore a basis for greater automation of vulnerability management, with MALCOLM being the most important tool. MALCOLM is primarily intended for SMEs to set up cost-effective network monitoring.