
Attack on the devs: Why data exfiltration is a top threat to 2025 supply chains
55% of open source malware now targets developers. Here’s why data exfiltration is a top threat to supply chains in 2025 – and how to defend against it.
Read More“That longevity is an engineering marvel, but a cybersecurity nightmare. We are grafting modern identity controls, network segmentation, and zero trust models onto steel-and-silicon systems designed in an analog era. And they don’t always cooperate.”
From levers and lanterns to AI and automation, the evolution of railway security holds a powerful message about trust and transformation.
We asked Black Hat MEA 2025 speaker Dimitri Van Zantvliet (CISO at Dutch Railways) what it means to secure critical infrastructure in a realm where operational technology meets digital complexity.
He shared sharp insights on the threats that keep security leaders alert in 2025, and reflected on what cybersecurity really protects: not just systems, but society itself.
“In the 19th century, security was mechanical, physical, and rooted in visibility – bolts, levers, locks, and the human eye. A signalman controlled points with iron rods; a watchman inspected carriages with a lantern. There was no firewall but vigilance.
“Fast-forward to today, and security is digital, distributed, and paradoxically invisible. Software defines the system; trust is now rooted in cryptography, not cast iron.
“But what hasn’t changed is the principle: safe passage depends on trust in the system – and the people behind it. We still rely on fail-safe thinking, layered defenses, and the discipline of process. Only now, a misconfigured firewall can cause more disruption than a broken shunt ever could.”
“Let’s be clear: I sleep well. Short, but well. Worry is a poor strategist – preparation is better. That said, we face real and persistent challenges as a sector. Chief among them is the burden of legacy, not just in IT, but deeply embedded in our operational technology. Systems built decades ago, never meant to be connected, now sit exposed in a connected world.
“Three things give me pause:
“The more powerful and complex our systems become, the more fragile they can get – unless we design them with resilience, not just efficiency, in mind. In rail, we call that defensive acceleration.”
“Railways are built to last. Trains ride on tracks for 50 years. Operational systems are maintained for decades – often longer than the people who installed them remain in the workforce.
“That longevity is an engineering marvel, but a cybersecurity nightmare. We are grafting modern identity controls, network segmentation, and zero trust models onto steel-and-silicon systems designed in an analog era. And they don’t always cooperate.
“What keeps me alert is the creeping fragility of connected systems. AI-generated automation is accelerating. Agents now write code, tune firewalls, and respond to incidents faster than any human can track – yet often without oversight or context.
“In theory, AI helps reduce human error. In practice, it introduces autonomous unpredictability. So yes, AI offers solutions; but only if we govern it with the same care and rigour we apply to braking systems.”
“Cybersecurity isn’t about IT. It’s about continuity, trust, and national resilience. When we protect critical infrastructure, we’re defending the systems that keep society functioning.
“In rail, that means ensuring millions of passengers get home safely, freight moves across borders, and emergency services arrive on time. Cyber is the nervous system of modern infrastructure. And just like in biology, when the nervous system fails, everything else quickly follows. What I wish more people understood is: this is not a tech issue. It’s a public safety issue.”
“I’d probably say: “Stick to playing guitar – and follow those lessons more strictly.” Not because I regret the path I’ve taken, but because consistency, patience, and listening are skills that matter just as much in music as in leadership.
“More seriously, I’d remind myself that technical depth is important, but context, trust, and timing turn expertise into real-world impact. That leadership is not about control, but about creating the conditions for others to thrive. And that the loudest person in the room is rarely the wisest.
“Lastly, I would tell myself never to underestimate the value of the people around you. I’ve been incredibly fortunate to be surrounded by brilliant, kind, and courageous people; mentors, colleagues, challengers, and friends; who helped shape not just my career, but my character. For them, I’m deeply grateful.”
Thanks to Dimitri Van Zantvliet at Nederlandse Spoorwegen. Want to learn directly from the leading minds in cybersecurity? Register now to attend Black Hat MEA 2025.
Join the newsletter to receive the latest updates in your inbox.
55% of open source malware now targets developers. Here’s why data exfiltration is a top threat to supply chains in 2025 – and how to defend against it.
Read MoreHow do you get your first job in cybersecurity? Break things. Because cultivating your hacker mindset can help you differentiate yourself in a competitive market for entry-level infosec roles.
Read MoreM&A can be a golden opportunity for malicious hackers. Find out how rushed integrations, open-source risks, and weak access controls turn acquisitions into cybersecurity minefields.
Read More