On Monday, 3 November, the Government-wide Cyber Exercise was held. During the simulation, the fictional municipality of Otterwijk faced challenges in its IT and operational technology (OT) systems.
A cyberattack has struck. Traffic lights are malfunctioning, causing chaos on the streets. At the town hall, critical systems, including civil affairs, social services, and the municipal website, are offline. The municipal crisis team must now convene. How to respond?
Practising together, sharing dilemmas
This year, the exercise concentrates on recovery, operational technology systems, and chain dependencies. To enhance realism and engagement, a dedicated green room was set up. In this space, 8 teams from municipalities, provinces, safety regions, customs, and other organisations practised on-site with the central table. The aim is to practice together, share dilemmas, and learn from one another. This matters now more than ever. The current threat landscape is growing increasingly severe due to geopolitical tensions, and as government processes become more interconnected, even a minor error in one area can have significant consequences for partners in the chain. That’s why collaboration and mutual support are essential.
About the Government-wide Cyber Exercise
Government must lead by example
Director CIO Rijk Art de Blaauw signals the start of the exercise by stating, “Digital resilience is a shared responsibility. The government has a social duty to lead by example, both in digital resilience and in securely managing citizens’ data.”
Practice is crucial for resilience, says De Blaauw. “There is no such thing as 100% security, so we must learn how to respond when things go wrong. During a cyber crisis, the urgency and time pressure are high. Additionally, you must deal with threats and negative effects. That is why it is important to practise regularly. It’s encouraging that 120 organisations ran the same scenario within their respective entities prior to the Government-wide Cyber Exercise.”
Caribbean Netherlands
Exercises were also conducted in the Caribbean Netherlands, as stated by Remco Jorna, the CISO of the National Office for the Caribbean Netherlands (RCN). The Caribbean-specific exercise was tailored to the local context. For instance, roles were continuously swapped during the exercise. It is essential to be proficient in multiple roles, Jorna explains: “In such a small community, not everyone is always available.” Following the principle of ‘1 Mission, 1 Kingdom’, we are all working together to enhance security and resilience within the Kingdom and society.
Caribbean Cyber webinars
Bob method
After the opening, the central crisis team and the teams in the green room began working in three rounds led by Aart Jochem. Several systems appear to have been affected: what exactly went wrong in IT and OT? And how will the issues develop? Can further escalation be anticipated? Or can the team already start working towards stabilisation and system recovery?
Using a disciplined approach known in the Netherlands as the BOB method (a model for structured crisis response, with BOB short for assessment, judgement, decision-making), the teams navigated (dis)information, supplier issues, corrupt backups, and ransom demands. They established clear communication, found alternatives for disrupted processes, and ensured citizens received personal support.
Building greater digital resilience together
Becoming more resilient is something you do together, as once again demonstrated during the exercise. Chairman Jochem was pleased with his team of professionals from all levels of government. The Information Security Service of the Association of Netherlands Municipalities participated and actively supported the crisis response throughout, which is part of its remit.
The team also received advice from Jasper Nagtegaal of the Government Digital Infrastructure Service: What obligations does the new Cybersecurity Act (the national implementation law of the NIS2 Directive, known in Dutch as Cyberbeveiligingswet, or Cbw) impose, and what guidance is offered for the crisis management team?
The police were also on standby: What can they do if you report a cyberattack? Barend Frans will cover this and more in his webinar on Tuesday, 18 October (Dutch).
