Risk Forecast: Windy

Show Notes

In this episode, Robby speaks with Jens Christian Vedersø, Head of Cyber Risk Management at Vestas, one of the world’s largest wind turbine manufacturers.

Jens is a former Navy and intelligence officer and recovering regulator. Before managing cyber risk in the renewable energy sector, Jens helped develop energy sector legislation and cyber preparedness at the Danish Energy Agency, and served as a subject matter expert for SCADA, OT, ICS and IoT at the Danish Center for Cyber Security.

In the discussion Jens shares his unique perspective on how security acts as both an enabler and a potential barrier in the transition towards renewable energy transition, and how the industry needs to move from a reactive, compliance-driven approach towards a more proactive, risk-based model. Jens also shares insights into the threat landscape, potential motivations of state actors, and how Vestas is working to quantify cyber risk and empower customers to better understand and control their own cyber risks.

Chapters

• 0:03: Renewable Energy Security Challenges
• 12:24: Empowering Customers to Control Security
• 17:52: Cybersecurity Risk Management in Energy
• 27:03: Avoiding Guessing and Lying in Security

Transcript

Speaker 1: 0:03

From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelta, welcome to the Mnemonic Security Podcast. If you think about it, it's quite ironic that we need connectivity and all this digitalization in order to reap the benefits of renewable energy. Like the wind and water has been here forever. Why'd we have to start digging up oil in the first place? So I asked my LLM, who of course, came with a bunch of good reasons, but nonetheless it's ironic. Less ironic, however, is the tremendous progress that we've made in our ability to harness the power of wind. Apparently, the first windmills popped up in the year 700 and were used to pump water and grind grain into flour, and now they produce something called terawatt hours, which I'll just say is a lot of electricity, powering all sorts of things and advancing us towards our climate goals.

Speaker 1: 1:04

But there's always a bad guy in the story, and for this instance we'll simply refer to them as oil. Now think of a country with lots of oil who would want to turn off our electricity. Even my LLM couldn't lie and act like it knew how many digital components were in a modern windmill, but, as our next guest will tell us, it's a lot, and that opens up for well, a risk or two. Jens, welcome to the podcast. Thank you, rob. So I was like, okay, I have to say his name in English. I pronounced it in Norwegian and both of them are wrong because you're Danish, true.

Speaker 2: 1:44

That is true, but well that was enough, I guess.

Speaker 1: 1:47

How would you say it in Danish? Actually, I thought Jens.

Speaker 2: 1:49

Christian Bilsu, which it sounds awful in any language, so no worries.

Speaker 1: 1:55

Lovely to have you on the podcast. Not sure if you've been on it before.

Speaker 2: 1:58

We discussed coming on the podcast, but then I changed jobs, I guess.

Speaker 1: 2:02

You're hard to get, but now I have you. I'm glad to be here. For those of the listeners that don't know you very well, who's Jens Kistam?

Speaker 2: 2:09

Well, I'm the head of cyber risk management at Vestas, the wind turbine manufacturer Awesome, yeah, I have a background from doing legislation in the energy sector. I started that 10 years ago and then I've been around well working with OT security on the risk and governance aspects of it mostly.

Speaker 1: 2:31

So you're writing legislation and now you are having to conform to it.

Speaker 2: 2:37

You regret what you wrote. I just need to tell you I mean, it's just like, why did I write like that and why did it come up like that, and what did we actually mean when writing then that kind of thing but that's just how it is. I guess goes around comes around.

Speaker 1: 2:49

Yeah, because around comes around. Uh, at least you could look at yourself in the mirror. So, uh, I was doing some youtube, youtubing as one does, and I was.

Speaker 2: 2:58

Uh, I figured out that I think it was costa rica is the country that uses the most renewable energy norway, iceland, I think it was, uruguay and denmark, so you're in the top five there yeah, and we don't have any mountains, which is a huge advantage when you do renewables, because you just, oh, you just put on a hydro turbine and then you're just, you're good, because, well, look at las vegas, las vegas is at least used to be powered by one hydro dam, right, so in Denmark we don't really have much hydro.

Speaker 1: 3:30

So it's almost wind-powered. So that's a good way to start the episode. Like, what is the renewable energy these days? Because you have fossil fuels right, Coal, gas, oil. Then you have renewables and you have nuclear energy, but nobody likes nuclear anymore. So what does renewables mean?

Speaker 2: 3:45

Well, that's a good start for it, because renewables sometimes also means nuclear, at least if you're in France. But let's not go too much into that, don't turn this political right. But when we look into what the industry is today, solar and wind is the two most dominant ways of doing renewables, and the reason for that is that wave energy, thermophysical energy and that sort of thing is more complex to make and therefore wind is pretty much well, it is a component in the renewable transition, no matter how we put it. And if we look into like, what does that actually mean? Well, it means that we're going to at least triple the renewable production over the next what? 10, 15 years, just to follow the commitments that we made already.

Speaker 2: 4:35

I mean stated policies, right, because currently wind energy is a little less than 2% of the electricity production around the globe, but eventually it will turn into, in any given scenario, being a major component. So you might say that we're in a very lucrative situation as Vestas, as being a producer of wind turbines and a service provider of turbines, because I mean we got our business covered. But at the same time, competition is rising in the industry, which it should be I mean, of course it should be. So we're also looking into how do we compete and how do we present ourselves as the most well, the best option for a country that wants to fulfill their sustainable policies.

Speaker 1: 5:16

And security is a component to that. It's an enabler or a necessary component of it? I guess yeah.

Speaker 2: 5:21

Well, that's a good discussion, right? Because should we look at security as a potential barrier that we need to remove, or should we look at security as an enabler, as something that is a requirement for future use? And I don't think that we should look at it as something that we just need to get rid of, Because then that way we would just like off-grid all the wind turbines and just make them I mean, make them brown themselves, but that's really not an option, is it? We need to have this flexibility of the system as we put in more renewables, Because if we have a wind turbine, it's only well it produces when the wind blows right, so we need to be able to turn it off if there's too much electricity in the connected system. Therefore, we need connectivity. So I mean, you can't have renewable transition without digitalization and connectivity. That's just a fact.

Speaker 1: 6:07

You have wind, which I know Denmark is over 50% of your energy source. I believe Norway is probably more about water, knowing us and our mountains. So every country is a little bit different. But whether you're wind or solar or hydro, whatever the energy source within renewables I'll take nuclear out of that.

Speaker 2: 6:27

Are they the same Can?

Speaker 1: 6:28

you look at them from a security perspective, because, if you put this in a global context, are we using these sources to get off or reduce our dependence to Russia, or, besides saving the globe, there's some other factors involved, right?

Speaker 2: 6:42

Yeah, because you can always put this into like the moral context I say so. So what are what our grandparents gonna tell us that we didn't do right? And one of the things could be that we didn't do this transition transition into renewables and therefore they inherited an earth that is uninhabitable or with with heat waves and what have we. And I mean, that's a political discussion, let's keep it at that, but that might actually be a very valid political discussion. But if we look at it as what are the benefits of going transiting into renewables? You're absolutely right. Decentralizing production also means that we grow independent of Russia, of fossil fuels, for instance, and that's also why we, as investors, are very engaged in doing storage of electricity into hydrogen, so that we can actually penetrate markets which are normally fossil fuels, such as transportation or even aircraft I mean even flights, right and have them run on renewables. So there's lots of technology here. There are lots of developments here, lots of developments, and wind is going to be a component to it either way, and security has got to be an increasing demand from our customers, which are governments, which are state-owned companies all around the world.

Speaker 2: 7:59

And is there a difference between hydropower and wind? Sure, there is because a hydropower plant can maybe produce, let's say, half a gigawatt, which would resemble what Oslo consumes, something like it, right? So that's one power plant and therefore I mean there's a business case of just controlling that power plant by having some guy sitting there, right, whereas a wind turbine? It produces what? 10, 12, 15 megawatts. That's the same thing as maybe what 1,000 households, 3,000 households, right? So that's not a business case of having a man sitting in a wind turbine operating it. So we're just dependent on connectivity and digitalization.

Speaker 1: 8:40

Is wind and solar sort of the most dependent on?

Speaker 2: 8:42

that, yeah, I would say solar is the same right, because if there's an overproduction of wind-generated electricity or solar energy, you need to be able to turn it off. I mean, that's a need.

Speaker 1: 8:54

Is it fair to say that all of you renewables? Everybody in the gang. You're all struggling. One challenge for all of you is storing the energy. Right, you mentioned taking wind, turning it into hydrogen, which can store energy.

Speaker 2: 9:07

That's absolutely fair. Yeah, but I would say that connectivity and security as a result of that is also a challenge to all of us. Yeah, yeah.

Speaker 1: 9:16

I had a stupid question. But is it just so simple that you know a wind turbine, the wind blows, it turns, just like a hydro power plant just turns this and that produces energy?

Speaker 2: 9:26

It's more high-tech than hydro, I believe. Okay, and it is increasingly high-tech. As the wind turbine has become bigger and bigger, Then the margins for operating it right become smaller and smaller. Also because you want the wind turbine to produce to the maximum level for our wind speed. So, from a wind speed of, let's say, five meters per second onto like a wind speed of 18, 15 meters per second, you want the wind turbine to produce a maximum output. And that's really what the game is about to get the wind turbine to have a capacity at the highest level throughout all conditions. And, of course, you also need it to be able to protect itself, Because if you're having wind speed supply let's say hurricane speeds it needs to stall out into the wind and make sure to protect itself.

Speaker 1: 10:13

Yeah, so, and I'm assuming, like back to your point earlier, there's no person sitting there. So this is all going by some AI algorithm, right, that's like doing these things by itself, so it's almost like an autonomous system these days. Pretty much, pretty much, wow. So I'm just thinking about, like the threat landscape for a renewable company. I mean, you're producing these huge things, you have factories, I would assume I have no idea how you guys do it, but I would assume somebody has to produce these things and you have all the digitalized components of it. So there's a huge supply chain to secure, both digitally and physically, right absolutely, absolutely.

Speaker 2: 10:50

And that's why I mean that's a headache, of course. Of course it is also because I mean who can we trust if we take a digital component from uh, from one country? Is that trustworthy in use of critical infrastructure in another country? I mean, that's one of the discussions going on currently in the US, where Chinese developed components to the electricity grid is being banned, and that's, of course, a discussion going on, at least behind the doors or closed doors, in Europe as well. And from our perspective, it's all about having diversification of the supply chain so that when we bought the product together, we're in control of the digital components, we know how they operate and we don't have any optimized dependencies on components. But supply chain management is, of course, a major headache. Well, just look at CrowdStrike, the CrowdStrike incident. I mean, everybody felt it right there just a month ago, right.

Speaker 1: 11:46

I was in the mountains, away from all internet, so I was chilling.

Speaker 2: 11:50

But my condolences.

Speaker 1: 11:51

I was on a boat, so yeah, I didn't know that Cool Nice us too. So I mean we could like nerd out on these things, building questions about supply chain and everything, but you're going to speak at a security conference here, the Industrial Security Conference in Copenhagen. I assume it has something to do with security. What are you going to be talking about?

Speaker 2: 12:11

I'm going to talk about quantifying cyber risks, and when I say quantifying cyber risks, I mean actually putting factual numbers onto the risk exposure you have. We want the industry to mature. Currently, we're in a situation where the entire industry just produces what's just enough and just what the customer expects, and nothing more. And then the customer comes back like two or three years later saying, well, now how it all changed. Now Russia invaded Ukraine and we're afraid of our wind turbines in eastern Poland. And we can just tell them, well, you didn't buy for then. Today you have what you have. You've got nothing to do about it. We would like us to mature from that so that security grows into a moving target, a moving benchmark that we can collaborate with our customers around, so that when their national stakeholders, their legislators, come and tell them well, guys, you need to mature on this or you need to take care of this specific vulnerability or this specific threat, they actually have something to do so that risk control actually becomes their responsibility but also vulnerability of theirs.

Speaker 1: 13:21

That's efficient, is it? Because when you ship these turbines, they have so many components I can't even imagine how many digital things are in these. They have so many components, I can't even imagine how many digital things are in these. But you can't just go in there and switch all them out because, oh, by the way, now we're willing to pay Vestas a little extra for security, right? That's the issue.

Speaker 2: 13:37

Well, that's one of the issues, right, Because when a company or a nation buys a wind park, it comes with a business case, right? I mean, it's a huge investment. It's expensive equipment. It's supposed to be run for 25, 30 years. So there is no money to change all the digital components and there's no well, we don't have enough people to do it. So, even like five or 10 years ago, we went into a strategy to virtualize all the systems on the plants, so we could actually well just change the software or just change the image on the plants. But we want to mature from that being able to do that to actually take it onwards to having the customer being capable of controlling it. Because it's acid and maybe Sweden has one risk profile, one interpretation of the threat from Russia, and maybe Romania has another one and Israel has a third one, and they're all customers to us and we need to serve them differently according to their needs. So we're in a situation where we need to do that.

Speaker 1: 14:46

Yeah, it's a horrible metaphor, but I'm just thinking about like back in the day. You know, like you had a car, you had to update your car. You have to go to the dealership and get it updated, and then Tesla games and they push out their updates, just like you update your iPhone. And now you're trying to take it to the level where the customer itself has the power to control the security on their wind parks.

Speaker 2: 15:05

And then we need to define like the right metrics for it. Because should the customer just say I want to have this component, I want to have a new uh, let's say a new, a new sock, or I want to have a new uh connectivity, there is one to have new, I want to have a router update, or I want to pass this specific server or this specific application on there on the on the system. Well, we think we should do it differently. We should do it in in context of risk, because the customers of ours do not all know the components that we service to them like best. So we need to bring them into a position where they're capable of controlling the risk, and the way we do that is by describing the risk to them.

Speaker 2: 15:43

That way, we can also avoid telling all the vulnerabilities or weaknesses and component issues of the systems. And why would we want to do that? Well, we want to do that because if I sell a wind turbine to Iran and I sell a wind turbine to Israel, I don't want to have the situation where they're going to hack themselves just in order to be able to hack each other afterwards, right, and that happens, right? Well, I don't know, but I would imagine that any sound.

Speaker 2: 16:09

It happens with normal IT equipment, at least I mean, I would imagine that any sound intelligence service is trying to achieve those sort of upper hands right.

Speaker 1: 16:19

Of course, interesting. So when it comes to so, you're trying to quantify risk. That's the project you've been working with a long time, right, yeah? So how has that journey been Like? You have the threat landscape, landscape, you have the value of the asset. I'm assuming you've gone a little bit. Are you still using like excel sheets with like the you know, the normal green to red sort of thing, or how does that look?

Speaker 2: 16:42

well, if you can't comprehend it, you can't explain it. So, even though excel sounds like really stupid, some components just need to have an excel because you need to be able to show them, you need to make people are capable of controlling themselves. If I have a customer that runs like three turbines, he understands excel if I have a customer, I mean, yeah, and if I have a customer that runs what, let's say, 2000 turbines, it's a different game.

Speaker 2: 17:12

So we need to be able to communicate in the level that the customer wants to, and that means we have different solutions to it and therefore also different degrees of complexity. But you're right, there's a threat component to it, there's a vulnerability component to it and there's an impact component to it, and by digesting those into different categories and putting them into scenarios, we're capable of making a best guess of the predicted future, saying so, this asset is at risk to this extent due to this vulnerability not being mitigated, or this architectural weakness and so forth, so you can actually take care of it.

Speaker 1: 17:52

I mean, besides ransomware, which happens no matter who you are, I guess one of the challenges you would run into with the threat part of it is that it's not like every day. There's like a wind farm being attacked with some custom malware, right? So how has that part been for you? Well, it's complicated. To convince people there's actually a threat.

Speaker 2: 18:11

Yeah, true, because it's actually a threat. Well, you can turn it the other way around and say what would you do if you were threatened by a neighboring country?

Speaker 2: 18:22

Or have the interpretation of being threatened by a neighboring country, well, you would try to cause them to be incapable of working together with their partners, the neighboring countries. You would try to prevent them from having an efficient economy. What's a vital component to that? Electricity production, right? Energy, yeah. And then, if we look at the energy sector, how would you attack it? Well, are you going for those old power plants where they're just off-grid and people sitting there just I mean looking at them? Well, that's one approach. Or you could go for like the really big digitalized, dispersed energy system, like the renewables. I'm not saying that the Russians has a plan for that, but I'm saying that if they don't have a plan for it, they're not doing the job right. So, of course they have a plan for it. I'm saying that if they don't have a plan for it, they're not doing the job right so of course I'd be shocked, at least.

Speaker 2: 19:13

Yeah yeah, so that's my approach to it. We don't know they have a plan for it, but I would be shocked if they didn't so I mean the, the sort of threats landscape that that part is like yeah, it's obvious.

Speaker 1: 19:27

At the same time, it's not obvious because like it's like the how they would do it which I guess that's the level that you want to get down to is how they do it, because then you can actually put a control there.

Speaker 2: 19:36

Absolutely, and you're right. Just one component is motivation, and we just, I mean, we just came to the logical conclusion that they probably have a motivation. But what about the capacity and capabilities? That's more interesting, right, and that's that's where we work with, with big intelligence vendors in the industry, because here we're going for attribution, but also some somewhat into the techniques, so we end up in the painful part of the of the pyramid of pain, right, it's the place where it's really difficult to like, carry, clarify what, what they're doing, how they're doing and why they're doing it but, I mean, we need to go into those lengths, uh, in order to, to make a meaningful analysis yeah, and then I guess, uh, you know, pen testing would be a an obvious component of that.

Speaker 1: 20:19

But then I'm just thinking about, like you have, where do you pen test because your supply chain is so big? Right, it's like one, that one component on the wind turbine, or is it like the fact that all of the wind producers use the same vendor? Like, how does that?

Speaker 2: 20:32

well, because, in order to find the right vulnerabilities, we do pen test. And and when pen testing, we pen test. What we think is oh well, we pen test from a scenario like saying so you're trying to achieve the breakdown of plant and you have this information how to do it right, so we do pincess planning, where the flags are defined beforehand.

Speaker 1: 20:58

Yeah, what do they call it? Attack surface management. Right, like you have to combine. You have to combine all the buzzwords in one sort of program to make all this work, because at the end of the day, if all those components aren't there, then your calculator or your Excel sheet might not be very accurate, I guess.

Speaker 2: 21:17

True, and that's really what this is all about, right. So this is about vulnerability management, right, but in some situations the vulnerability is okay to be high. If you're running three turbines in South America, you should only be more well, not only, but you should be most worried about South criminals and not so much worried about state-sponsored attackers, because that's not really a thing in South America yet. So, like, okay, and therefore we can say okay, then the strategy for you might be one of those I mean hard shell, soft inside approaches. So make sure that you got your identities right, make sure that you know your interface, make sure that you update your exposed services, that kind of thing right.

Speaker 2: 22:03

Whereas, if you're operating in Eastern Poland, I would suggest that you consider actually having a more hardened approach. I mean, have hardened applications throughout the layers, that you do some sort of investigation or detection mechanism in the lower levels of the Purdue model, right Like down on the plant. And that's a decision for the customer, because the customer needs to pay, and I'm not saying that I mean we're not running a charity. The customer is paying for the risk as it goes. So if let's say that in South America it turns cyber warish, well then that customer needs to have a lever to change their approach to cyber security of their plant.

Speaker 1: 22:52

Interesting. So it sounds like one of the questions I was going to ask you was like you know what's the industry look like, but it sounds like there are many industries within industries. Yeah, because the customer viewers, that's a government, then at that point, right.

Speaker 2: 23:03

Yeah, but look at the literacy push right, because governments, I mean, just look at this too. Just look at the update of NERC SIP. I mean just look at NIST too. Just look at the update of NERC SIP. I mean they're all pushing for this risk responsive attitude with the customers, with the producers of energy, and we're just a service provider for them. But that also means that there's a push to us and if we wait for it, we'll have a billion trillion different requirements of TIGMA character and there simply isn't enough security people around the globe to handle that. And then we'll bring in the vendors and the vendors will have or consultants and they'll have different reasons for doing different stuff, and then the system will just be broken. I mean, we'll just end up in a situation where we'll never really succeed, and maybe we will succeed, but then two years it'll be obsolete. So we need to transfer this into another league. We need to know what we're talking about, and risk quantification is the key to that and that's why we're doing it.

Speaker 1: 23:58

So that is the reason behind you getting hired, I guess, is that somebody needs to get ahead of it, see in the future, predict the future, like these are going to be what customers and the pain points of the future. So you're starting with that work now, basically to make it easier later.

Speaker 2: 24:15

Yeah, and we're moving the discussion around. We're moving the discussion from being like a technical discussion around have you updated a library in an application into have you? Are you actually in control over the risk you expose to the grid? Yeah, so I mean we're changing the dialogue so that that goes right. Also, because I mean I've met many security people that are struggling with getting the year of their management right because they're talking one language to the management and the management are asking questions in another language. So there's a dialogue about Exactly.

Speaker 2: 24:57

Yeah, the dialogue about allocating budget. How does that work Right? Well, somebody comes in and tells a war story and then gets a budget and goes out. That's not running your business right and it wears out our security people and we can't afford that. So if we build something that's meaningful for communication across the organization, we also build a more sound foundation for discussions and priorities in the organization.

Speaker 1: 25:30

Isn't that kind of strange that that sort of communication thing is being led by the security team, or is it? I'm just surprised that those efforts would end up coming out of the security team and not some sort of like intelligence function, or you know somebody higher up in the company that said that we needed to do that. Or is it because the threat is so cyber that it makes sense to you?

Speaker 2: 25:52

I have a feeling that many people in the industry fail to talk about threats and talk a lot about vulnerabilities. Because what do you do when you're scared? Well, you go back to what you know, and many of the security people are IT people, right? What do they know? Well, they know the systems, and then they start talking about the systems, they start doing something about the systems, and then we decouple the organization and that's not good for progress and it's not good for management, it's not good for control. By having a quantification concept running, you grow out of that absolutely yeah, but, but. But. What I'll be talking about on the conference is is in, I mean, practical terms, I'll be showing the excel spreadsheet that we give to to our smaller customers and just explaining how the data model works, because my point is that we don't need to be right, we just need to be consistent so you can control risk over time.

Speaker 1: 26:54

So, jens, my guess would be that you and Vestas are one of the top echelon of making that communication and actually making something work. But if you look around the industry, I heard, heard you you mentioned guessing, lying and wishing. Yeah, what are some of the problems? Like the broader industry, what are some of the problems that you have faced that the others can learn from so they don't do the same thing, I guess, when they start doing what you're doing.

Speaker 2: 27:20

Well, guessing, lying, and well, it's a term right. If you don't know what you're talking about, you're guessing. If you know what you're talking about and you're telling something else, then you're lying. And I've seen security functions do both like all around all the time. I've seen consultants do both all the time.

Speaker 2: 27:42

I've been a consultant myself, I have consistently refrained from lying and told people very transparently when I'm guessing. But that's not how the industry always works, to be fair. Therefore, we need to change this approach where our top management just asks a question and we answer it by a guess or in a different way. Because if, let's say, like, a CEO comes into the office of a CISO and says, so, this ransomware, should we be afraid of it? The CISO says yes, that's fair, that's good.

Speaker 2: 28:25

And then if he comes back the next week saying so, what should we do about it? Then he needs to have a plan for it, right, and that plan needs to be controlled, needs to be transparent, he needs to explain it. So if you don't have your integrity there and if you just start by just hoping that he goes away and just telling him well, I hired a consultancy to do it. And then a consultancy comes in does a risk assessment with a model that they don't tell people what is and with well deliberately masquerading it all up and then comes back to you. Well then, then they need to come back two years later in order to do an update of it, because they efficiently made sure that nobody else could update it.

Speaker 1: 29:07

Right, that's a business model I was thinking in my head while you were saying this, like if you have to do something bad in the name of good, is that that's bad? But to your point, if you have to do it every other two years because it never got any traction, it didn't actually change anything, then it's uh, what they call in norwegian, they call it antans that you're shooting yourself in the foot. It's the same thing, you're doing in the chair.

Speaker 2: 29:28

But yeah, and that is, and I think that's what it is right. You end up doing something because you think it's right and because you don't know how to talk to that CEO. So you're like you just give him what you think he wants, but the next day he expects you to report back in the same time and in the same language. So you don't have the opportunity to become wiser, because if you become wiser, then you'll need to tell him that you made a mistake last year and within our industry, anybody who's saying that they know all is lying. I mean, we all get wiser every day. There's's always a new technology. There's a new technique, there's a new approach. There's a new technology that our attackers use or something that we can use. There's a new. There's a million things. So this is not about doing it right. It's about doing it consistently. That way we can actually mature, and that's what I'm going to be talking about and I'm going to put out like I mean very practical.

Speaker 2: 30:31

What do we do? How does a threat scenario work? What happens throughout the kill chain? Because we do red thread teaming, like saying so, if I'm this hacker, ransomware group, what do I do if I have this access, well, I work like that. Okay, super. How do we then put up barriers for it? Then we put up barriers for it and I mean we can't prevent them from doing it. So we always need, we always end up by a guess at the end. We just need to be transparent about that guess. We just need to have travel mythology for it so that we guess the same way, the same rule, every day. Hmm, I mean a lot of security. People are talking about this, about doing the basics, just doing the hygiene. One of the hygiene things is also to be consistent, follow the same procedure, continue doing that last time we talked probably was at the same conference last year.

Speaker 1: 31:23

It's been a while. What have you learned in the past year, specifically for threat intelligence? Well, last year it's been a while. What have you learned in the past year, just specifically for threat intelligence?

Speaker 2: 31:29

Well, I learned that it is. To some extent it's a circle, right, we kind of knew that. But buying intelligence is just everybody's buying from each other. So the only way to get proper intelligence is by having a network, to having the capability of digesting and analysing Open source intelligence, compared with commercial intelligence, more or less at the same time. So in order to be able to actually stay ahead of this and do proper risk scenarios, you need to have a threat intelligence cell of your own. Otherwise you're simply not in control.

Speaker 1: 32:11

Yeah, and I guess you ended up there yourselves, yeah yep, without saying anything more.

Speaker 2: 32:16

But yes, of course we did.

Speaker 1: 32:18

I support that. Do you have any closing thoughts, Jens, before I let you go on this lovely Friday afternoon?

Speaker 2: 32:27

Well, I'm looking forward to the ICS conference in November. Right, I mean, it's like a family gathering, it's like that is. Yeah, it's really nice meeting small good old colleagues and having great fun and being inspired. I always go for a million new ideas and a million new questions and a million new friends, so it's fun, looking forward to seeing you there.

Speaker 1: 32:50

Likewise. Thank you so much for your time, mr Bathershaw. Take care between now and then, and we will see you in Copenhagen in November. See you there, bye, ciao. Well, that's all for today, folks. Thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicno. Thank you for listening and we'll see you next time.