What is Critical Infrastructure?
Critical infrastructure (sometimes also called vital infrastructure) consists of systems and processes that are essential to the functioning of society. Examples include energy, drinking water, transport, telecoms, finance and healthcare.
Failure or disruption of critical infrastructure can lead to societal disruption, economic damage and risks to public health or safety.
🧠 Examples of critical infrastructure
- Energy: electricity grids, gas distribution, nuclear power plants
- Water: drinking water production, sewage pumping stations, dyke monitoring
- Transport & logistics: rail, air traffic, ports
- Communication: telecoms, internet exchanges, data centres
- Finance: banks, payment systems
- Healthcare: hospitals, laboratories
- Government: defence, police, disaster coordination
🔐 Cybersecurity in critical infrastructure
Owing to increasing digitalisation, vital sectors depend on Operational Technology (OT) and connected systems, which means cyber threats can have a direct impact.
Example risks:
- Ransomware on SCADA systems
- Sabotage of PLCs or RTUs via insecure Remote Access
- Supply chain risk via weak third parties
- Manipulation of measurement data or process values
🏛️ Rules & obligations (NL/EU)
| Legislation / framework | Relevance |
|---|---|
| NIS2 | EU legislation on the security of network and information systems |
| Cybersecurity Act | Dutch implementation of NIS/NIS2 |
| IEC 62443 | Standard for the security of industrial systems |
| ISO 27001 | Information security ISMS, also relevant to vital sector parties |
| BIO | Standards framework for Dutch government and vital sectors |
In the Netherlands, the National Cyber Security Centre (NCSC) oversees the security of vital infrastructure.
🧰 Key security measures
| Measure | Application |
|---|---|
| Network segmentation | Separation of OT and IT networks |
| Defense in Depth | Layered security (physical, network, application) |
| Patch management | Structurally addressing vulnerabilities |
| Security Monitoring | Detection of anomalies and incidents |
| Access Control / RBAC | Restricting access rights |
| Incident Response Plan | Being prepared for cyber incidents |
| Backup & Disaster Recovery | Recovery after outages or attacks |
| Supply Chain Management | Setting requirements for suppliers |
🔎 Critical vs. non-critical infrastructure
| Aspect | Critical infrastructure | Non-critical |
|---|---|---|
| Impact of failure | Major societal consequences | Limited or local |
| Compliance requirements | Strict (e.g. NIS2, IEC 62443) | Less strict or voluntary |
| Availability requirements | Very high (24/7, redundancy required) | Depending on business requirements |
| Cyber threat | Target for state actors or APTs | More general threats |
📌 In summary
Critical infrastructure is essential to the functioning of our society and demands special attention to Cybersecurity, availability and Compliance. Because of the convergence between IT and OT, these systems are vulnerable to digital attacks with major consequences.