Blog

Dutch Cybersecurity Report 2025: Critical Lessons for Industrial Control Systems and OT Security

DeNexus | December 05, 2025

Executive Summary 

The Cybersecuritybeeld Nederland 2025 (CSBN 2025) from the Dutch National Coordinator for Counterterrorism and Security marks a watershed moment for operational technology security: the Netherlands experienced its first documented case of deliberate cyber-sabotage targeting a digital control system. This milestone, combined with sophisticated ransomware attacks halting industrial production for weeks and state-backed actors manipulating water infrastructure across Europe, signals that OT and industrial control systems are no longer theoretical targets—they are active battlegrounds. 

For CISOs, plant managers, and executives overseeing critical infrastructure, this report provides evidence-based validation that cyber risk quantification and management for OT environments has become a business-critical imperative, not merely an IT concern. 

Source: Cybersecuritybeeld Nederland 2025, Dutch NCTV 

 

Key Statistics: OT and ICS Under Fire 

- Critical Infrastructure Incidents 

1. First Deliberate OT Sabotage in the Netherlands 
Dutch intelligence services (AIVD/MIVD) confirmed that in 2024, a Russian state-backed group executed intentional cyber-sabotage against the digital control system of a Dutch public facility. This represents the first documented deliberate attack on control systems in the country, establishing a clear precedent that OT environments are considered legitimate targets by nation-state actors. 

Source: CSBN 2025, Dutch MIVD 

 

- International OT Attack Evidence 

1. Water Infrastructure Manipulation (Denmark) 
Pro-Russian hackers attacked a Danish water treatment facility, deliberately increasing water pressure through control system access. The attack left customers without water for several hours after a pipe burst due to the pressure manipulation. 

2. Dam Control System Breach (Norway) 
Attackers gained access to remote control systems at a Norwegian dam in Bremanger, opening a valve and releasing millions of liters of water over approximately four hours. The incident demonstrated direct manipulation of industrial process parameters via compromised SCADA systems. 

Source: CSBN 2025, Danish and Norwegian incidents 

 

- Production-Halting Ransomware 

1. Jaguar Land Rover (JLR) 
Following a cyberattack, JLR proactively shut down IT systems, halting production for weeks. Employees were instructed to stay home, and the company later confirmed data compromise. The incident exemplifies how cyber events translate directly into business interruption costs and supply chain disruption. 

 

2. German Pharmaceutical Wholesaler (AEP) 
Ransomware encrypted critical systems at AEP, which serves over 6,000 pharmacies. External connections were severed, preventing customer orders and limiting pharmaceutical supply chains. The company became largely unreachable by phone or email during the incident. 

 

3. UK Retail Sector (Co-op, M&S, Harrods) 
The Scattered Spider group targeted multiple UK retailers with ransomware. Co-op experienced empty shelves and operational disruptions, with attackers stealing data from 6.5 million customers before encryption. 

Source: CSBN 2025, ransomware case studies 

 

- Edge Device Vulnerability Exploitation 

70-80% of European cloud market is controlled by US companies, creating concentration risk. The report emphasizes that edge devices—VPN gateways, firewalls, Citrix appliances, and routers—remain the primary entry points for attackers targeting OT networks. 

Key Examples: 

  • Citrix NetScaler vulnerabilities exploited at Dutch Public Prosecution Service, forcing internet disconnection and disrupting the criminal justice chain 
  • Fortinet FortiManager critical vulnerability actively exploited worldwide; configuration files and hashed passwords stolen 
  • Chinese Salt Typhoon campaign compromised routers at smaller Dutch ISPs and hosting providers 

Source: CSBN 2025, edge device threats 

 

Industries at Highest Risk: Vital Sectors Under Siege 

The CSBN 2025 explicitly identifies all vital sectors as attractive targets for both state-backed and criminal actors. For OT environments, the following sectors face the most significant exposure: 

Energy & Utilities 

  • Transmission & distribution systems 
  • Renewable energy (wind, solar, BESS) 
  • Smart grid infrastructure 
  • Risk: Cascading failures, regional blackouts, equipment damage 

 

Water Management 

  • Water treatment facilities 
  • Dams and flood control 
  • Wastewater systems 
  • Risk: Public health impacts, environmental damage, service disruption 

 

Manufacturing 

  • Automotive production lines 
  • Pharmaceutical manufacturing 
  • Food and beverage processing 
  • Risk: Production halts, supply chain disruption, quality control compromise 

 

Transportation & Logistics 

  • Port operations 
  • Rail systems 
  • Airport infrastructure 
  • Risk: Economic disruption, safety incidents, cargo delays 

 

Telecommunications 

The report devotes an entire chapter to telecom, noting that many vital sectors depend on telecom infrastructure with inadequate fallback options. A telecom outage in Luxembourg disabled 4G and 5G networks nationwide for over three hours, preventing emergency calls and online banking. 

Source: CSBN 2025, vital sectors analysis 

  

Top Recommendations for ICS/OT Security 

Based on CSBN 2025's evidence-based analysis, industrial organizations should prioritize these OT-specific actions: 

  1. Treat OT as Strategic National-Critical Infrastructure

State-backed groups have demonstrated willingness and capability to interfere with digital control systems in the Netherlands and across Europe. Organizations in vital sectors must align OT security with standards applied to other critical national infrastructure. 

 

  1. Harden Edge Devices and IT/OT Boundaries

Given documented exploitation of VPNs, firewalls, and remote access systems: 

  • Implement secure configuration baselines for all edge devices 
  • Establish rapid patching programs (attackers exploit vulnerabilities within hours to days) 
  • Deploy network segmentation between IT and OT environments 
  • Enable comprehensive monitoring and logging of boundary devices 
  • Minimize remote access to plants; strictly control vendor access 

 

  1. Integrate Supply Chain and SaaS Risks into Operational Resilience

Incidents at Blue Yonder, Cleo, Salesforce, and other providers demonstrate that: 

  • Maintain business-impact-oriented inventory of digital dependencies 
  • Include SaaS platforms, data transfer tools, and logistics systems in risk assessments 
  • Design contracts and architectures for fallback options or graceful degradation 

Example: Blue Yonder ransomware affected 3,000+ customers including major manufacturers (Microsoft, Renault, Lenovo, P&G, Carlsberg) and Dutch retailers (Jumbo, Hema). 

 

  1. Plan for Telecom and Cloud Provider Outages
  • Develop business continuity plans explicitly covering telecom disruptions 
  • Consider local control capabilities for OT environments 
  • Design ability to operate in offline or degraded modes when connectivity to central systems is lost 
  • Test recovery procedures for major cloud or security provider outages 

 

  1. Address Digital Dependencies at Board Level

The CSBN emphasizes that digital dependencies and concentration risk are governance issues, not merely technical topics. Industrial companies should: 

  • Conduct regular board-level assessments of strategic technology dependencies 
  • Evaluate risks of vendor lock-in and "digital monocultures" 
  • Consider diversification and fallback options rather than single-vendor strategies 

Source: CSBN 2025, recommendations 

 

Assess Your OT Risk Today!

Book a Demo →

 

The Role of Cyber Risk Quantification in Modern OT Security 

CSBN 2025's findings validate what leading industrial organizations already recognize: qualitative risk assessments and compliance checklists are insufficient for managing OT cyber risk in 2025 and beyond. 

Why Cyber Risk Quantification Matters for OT 

The report's documented incidents demonstrate that cyber events translate directly into quantifiable business impacts: 

  • Business Interruption: JLR production halted for weeks; AEP unable to serve 6,000 pharmacies 
  • Equipment Damage: Danish water facility pipe burst from pressure manipulation 
  • Supply Chain Disruption: Blue Yonder attack affected payment and planning systems across customer base 
  • Regulatory Penalties: Vital sectors face compliance obligations across multiple frameworks 

 

Cyber Risk Quantification and Management (CRQM) provides the methodology to translate these technical vulnerabilities into financial metrics that executives and boards can act upon. 

 

Quantified Vulnerability Management (QVM): Addressing the Edge Device Crisis 

CSBN 2025 emphasizes that attackers systematically target edge devices and exploit vulnerabilities "within hours to days" of public disclosure. Traditional vulnerability management approaches—prioritizing by CVSS score alone—leave organizations perpetually overwhelmed. 

Quantified Vulnerability Management addresses this by: 

  • Calculating Value at Risk and Expected Financial Loss for each CVE 
  • Considering network topology, device role, and existing controls 
  • Prioritizing remediation based on actual financial exposure, not just theoretical severity 

This approach directly responds to the CSBN's finding that organizations need more sophisticated methods to handle the volume and velocity of edge device vulnerabilities. 

 

How DeRISK™ Supports CSBN 2025 Recommendations 

DeNexus's DeRISK™ platform was purpose-built to address exactly the challenges highlighted in the CSBN 2025 report. Here's how the platform supports each critical recommendation: 

 

  1. Treating OT as Strategic Infrastructure

DeRISK Capability: Industry-specific risk models for energy, manufacturing, water, and transportation sectors that quantify cyber risk in financial terms aligned with board-level decision-making. 

CSBN Connection: Translates technical OT vulnerabilities into business metrics, enabling organizations to demonstrate why OT security deserves strategic investment priority. 

 

  1. Edge Device and IT/OT Boundary Security

DeRISK Capability: 

  • Identifies vulnerabilities on edge devices and calculates dollars at risk considering network position and controls 

CSBN Connection: Directly addresses the "hours to days" patching window by enabling risk-based prioritization of edge device vulnerabilities based on financial exposure, not just CVSS scores. 

Source: DeRISK QVM product information 

 

  1. Supply Chain and SaaS Risk Integration

DeRISK Capability: 

  • Portfolio-level risk modeling across facilities and dependencies 
  • Financial quantification of third-party risk exposure 

CSBN Connection: Enables organizations to see the risk that their trusted service providers (third-parties) would have upon their risk profile. 

 

  1. Continuity Planning for Systemic Outages

DeRISK Capability: 

  • DeRISK Project Simulator models "what-if" scenarios including patching of critical vulnerabilities, deploying new risk mitigation technologies, or improving cybersecurity maturity of a specific control 
  • Calculates business interruption costs, loss reduction, and mitigation ROI 

CSBN Connection: Provides financial justification for ICS/OT cybersecurity investments (better incident response, etc.) by quantifying the cost of scenarios of cybersecurity projects. 

Source: DeRISK platform overview 

 

  1. Board-Level Governance of Digital Dependencies

DeRISK Capability: 

  • Executive-ready reports translating OT risk into financial metrics 
  • Peer comparison and industry benchmarking 
  • Insurance optimization module showing coverage gaps 

CSBN Connection: Directly addresses the report's emphasis on board-level oversight by providing the quantified risk metrics executives need to make informed decisions about cybersecurity projects, buying-down risk, and transferring risk to insurance coverage. 

Real-World Validation 

DeNexus clients have demonstrated the practical value of CRQM: 

  • Manufacturing clients quantified baseline cyber risk across US and European facilities, prioritizing mitigation strategies using OT network telemetry 
  • Renewable energy IPP with 6+ GW capacity transformed cyber risk into board-level KPIs across distributed wind and solar portfolio 
  • Organizations that use actual cybersecurity telemetry to support quantified risk models, are able to reduce uncertainty by revealing the hidden risk that ICS/OT vulnerabilities have on the business, sometimes 2-3X times original estimated due to how important ICS/OT systems are to the bottom -line. 
  • Organizations with quantified risk models achieved 23% lower insurance premiums compared to those using qualitative assessments 

Source: DeNexus case studies and insurance optimization research 

 

Key Takeaways: 

CSBN 2025 Critical Insights for OT Security Leaders 

The Threat is Real and Present 

  • First deliberate OT sabotage in Netherlands (control system attack) 
  • Water infrastructure manipulated in Denmark and Norway (physical consequences) 
  • Production halted for weeks at major manufacturers (JLR, AEP) 

Key Statistics 

  • Edge devices exploited within hours to days of CVE disclosure 
  • 70-80% of European cloud market concentrated in US providers 
  • Ransomware attacks directly disrupting industrial production and supply chains 

Highest-Risk Sectors 

  • Energy & utilities (smart grid, T&D) 
  • Water treatment and management 
  • Manufacturing (automotive, pharma, food) 
  • Transportation & logistics 

Top 5 OT Security Priorities 

  • Treat OT as strategic national-critical infrastructure
  • Harden edge devices and IT/OT boundaries (rapid patching essential)
  • Quantify supply chain and SaaS dependencies
  • Plan for telecom and cloud outages (offline capabilities)
  • Address digital dependencies at board level 

CRQM Solution 

  • Quantify OT risk in financial terms for board decisions 
  • Prioritize vulnerabilities by dollars at risk (not just CVSS) 
  • Model business interruption scenarios before they occur 
  • Optimize cybersecurity investments and insurance coverage 

Request a DeRISK™ Demo

Book a Demo →

 

Conclusion: From Threat Intelligence to Quantified Action 

CSBN 2025 provides industrial organizations with clear, evidence-based validation: OT and ICS environments are active targets for sophisticated actors capable of causing physical disruption and business interruption. The report's strength lies in its documentation of real incidents—not hypothetical scenarios—affecting control systems, production lines, and critical infrastructure across Europe. 

For CISOs and operational leaders, the path forward requires moving beyond qualitative risk assessments to cyber risk quantification that translates OT vulnerabilities into financial metrics. When you can quantify that a specific edge device vulnerability represents $2.3 million in business interruption risk, prioritization decisions become clear. When you can model the financial impact of a supplier compromise before it occurs, you can justify the investments needed for resilience. 

The industrial organizations that will thrive in this threat environment are those that embrace quantified risk management, treating OT cybersecurity as what it truly is: a strategic business imperative with measurable financial consequences. 

 

Take Action: Quantify Your OT Cyber Risk 

The CSBN 2025 report makes clear that industrial organizations can no longer afford to manage OT security through qualitative assessments and compliance checklists. DeNexus DeRISK™ provides the evidence-based, financially quantified approach that today's threat landscape demands. 

Learn how DeRISK™ can help your organization: 

  • Quantify OT cyber risk in financial terms executives understand 
  • Prioritize vulnerabilities based on actual business impact 
  • Model scenarios from CSBN 2025 (edge device compromise, supplier outages, ransomware) 
  • Optimize cybersecurity investments and insurance coverage 

Request a DeRISK™ Demo

Book a Demo →

 

References and Sources