Why railways are an engineering marvel but a cybersecurity nightmare

“That longevity is an engineering marvel, but a cybersecurity nightmare. We are grafting modern identity controls, network segmentation, and zero trust models onto steel-and-silicon systems designed in an analog era. And they don’t always cooperate.” 

From levers and lanterns to AI and automation, the evolution of railway security holds a powerful message about trust and transformation. 

We asked Black Hat MEA 2025 speaker Dimitri Van Zantvliet (CISO at Dutch Railways) what it means to secure critical infrastructure in a realm where operational technology meets digital complexity. 

He shared sharp insights on the threats that keep security leaders alert in 2025, and reflected on what cybersecurity really protects: not just systems, but society itself.

In the context of railways, how has the concept of security evolved from 19^th century mechanical safeguards, to today's digitally controlled systems? 

“In the 19th century, security was mechanical, physical, and rooted in visibility – bolts, levers, locks, and the human eye. A signalman controlled points with iron rods; a watchman inspected carriages with a lantern. There was no firewall but vigilance.

“Fast-forward to today, and security is digital, distributed, and paradoxically invisible. Software defines the system; trust is now rooted in cryptography, not cast iron. 

“But what hasn’t changed is the principle: safe passage depends on trust in the system – and the people behind it. We still rely on fail-safe thinking, layered defenses, and the discipline of process. Only now, a misconfigured firewall can cause more disruption than a broken shunt ever could.”

What are the threats that keep you up at night in 2025? 

“Let’s be clear: I sleep well. Short, but well. Worry is a poor strategist – preparation is better. That said, we face real and persistent challenges as a sector. Chief among them is the burden of legacy, not just in IT, but deeply embedded in our operational technology. Systems built decades ago, never meant to be connected, now sit exposed in a connected world.

“Three things give me pause:

• Cascading cyber-physical failure. A cyberattack disabling digital systems that control physical infrastructure (trains, signals, power) is no longer theoretical. It’s our daily threat model.
• Complacency. The belief that ‘we’re too boring to be hacked’ or ‘it’s never happened before’ breeds underinvestment and fragile confidence.
• AI misuse. We now have autonomous agents and generative tools writing code faster than people can validate it – welcome to the era of vibe coding. A line of AI-generated logic can now silently bypass controls or misconfigure access in ways no one notices; until a train doesn’t stop or a signal fails silently. Worse still, when something goes wrong, we often don't know whether to blame the developer, the AI, or the vibe.

“The more powerful and complex our systems become, the more fragile they can get – unless we design them with resilience, not just efficiency, in mind. In rail, we call that defensive acceleration.”

What are the unique challenges you face as a CISO in a sector where operational technology meets traditional IT systems; and does AI offer any new solutions to those challenges? 

“Railways are built to last. Trains ride on tracks for 50 years. Operational systems are maintained for decades – often longer than the people who installed them remain in the workforce. 

“That longevity is an engineering marvel, but a cybersecurity nightmare. We are grafting modern identity controls, network segmentation, and zero trust models onto steel-and-silicon systems designed in an analog era. And they don’t always cooperate.

“What keeps me alert is the creeping fragility of connected systems. AI-generated automation is accelerating. Agents now write code, tune firewalls, and respond to incidents faster than any human can track – yet often without oversight or context. 

“In theory, AI helps reduce human error. In practice, it introduces autonomous unpredictability. So yes, AI offers solutions; but only if we govern it with the same care and rigour we apply to braking systems.” 

What's one thing you wish everyone knew about the role of cybersecurity in critical infrastructure? 

“Cybersecurity isn’t about IT. It’s about continuity, trust, and national resilience. When we protect critical infrastructure, we’re defending the systems that keep society functioning.

“In rail, that means ensuring millions of passengers get home safely, freight moves across borders, and emergency services arrive on time. Cyber is the nervous system of modern infrastructure. And just like in biology, when the nervous system fails, everything else quickly follows. What I wish more people understood is: this is not a tech issue. It’s a public safety issue.” 

And finally, if you could go back to the beginning of your career and tell yourself one thing you wish you'd known then...what would it be? 

“I’d probably say: “Stick to playing guitar – and follow those lessons more strictly.” Not because I regret the path I’ve taken, but because consistency, patience, and listening are skills that matter just as much in music as in leadership.

“More seriously, I’d remind myself that technical depth is important, but context, trust, and timing turn expertise into real-world impact. That leadership is not about control, but about creating the conditions for others to thrive. And that the loudest person in the room is rarely the wisest.

“Lastly, I would tell myself never to underestimate the value of the people around you. I’ve been incredibly fortunate to be surrounded by brilliant, kind, and courageous people; mentors, colleagues, challengers, and friends; who helped shape not just my career, but my character. For them, I’m deeply grateful.” 

Thanks to Dimitri Van Zantvliet at Nederlandse Spoorwegen. Want to learn directly from the leading minds in cybersecurity? Register now to attend Black Hat MEA 2025.