Thales Data Threat Report Revals Risks to Critical Infrastructure

[00:00:06] Welcome to The Business of Cybersecurity, a podcast which is part of the Tech Talks Network. My name is Neil C. Hughes. You may know me from the Tech Talks Daily Podcast, which covers a completely different area every episode. And in this series, The Business of Cybersecurity, I explore where security and businesses intersect.

[00:00:29] So my guest today is going to share his insights on the evolution of cybersecurity threats in everything from ransomware to quantum computing and discuss how organizations are bolstering their defenses through training, advanced technologies and a shift towards zero trust architectures. But enough for me, let's get Tony onto the podcast.

[00:00:51] So together, we can all navigate the complex cybersecurity landscape that keeps our digital and physical world safely interconnected. So a massive warm welcome to the show, Tony. Can you tell everyone listening a little about who you are and what you do? Yeah, thanks, Neil. Hi, everybody. So I'm Tony Burton and I'm the Managing Director of the Cyber Digital Solutions business here in Thales.

[00:01:17] Providing, as its kind of name suggests, the cybersecurity and digital capability to the defense, government and critical national infrastructure sectors. I've been in Thales for nearly 23 years now, looking across the national security and resilience domain in various capacities. And before that, I spent over a decade in the signals intelligence and surveillance world of the of the of the MOD as a civil servant.

[00:01:46] So I've been around for a few years now. Awesome. And before you came on the podcast today, I was having a look through that Thales 2024 data threat report. And one of the things that stood out to me was this significant increase in cyber attacks on critical infrastructure. So I've got to ask, why do you believe or what do you believe the main drivers are behind this surge? And why are smart grids and essential utilities and hospitals suddenly becoming prime targets for cyber criminals?

[00:02:16] What's what's the driver here? Yeah, it's really interesting. So I think the evidence is pretty clear. And when you consider that over two fifths of the critical infrastructure organizations that you've just listed have suffered some form of data breach with the vast majority, over 90 percent observing some sort of an increase in attacks. And I guess the question that you're asking is, you know, well, what's behind this surge? And I guess for me, there's kind of three key things.

[00:02:45] And you only have to watch the news every day at the moment to see the continuing geopolitical unrest around the world. And everything at the moment is really focused on the Russia-Ukraine crisis, which is in a dreadful state. So it's no surprise that the UK government are talking in terms of putting the country on some kind of war footing. And when that comes to national security, that has to include all of our critical national infrastructure.

[00:03:15] And it's really quite stark language out there at the moment, even talking about, you know, being at the foothills of a Cold War and all that sort of thing. But the indicators are really clear that we have to be more prepared as a country to increase our resilience and to make sure that the increasing threat is managed in some way from a particularly a cybersecurity perspective.

[00:03:39] And, you know, I think that's really evident at the moment in all of the thinking of government and the National Cybersecurity Center to deal with that threat. And, of course, that's just one dimension. There's still a strong uptick in the threat from organized or even disorganized crime. And, of course, there's always the insider threat, whether that's maliciously motivated or not at all.

[00:04:05] And let me tell you, some of the most effective denial of service attacks I've ever seen are accidentally conceived by human error or trying to do the right thing rather than anything more malicious. And I guess the third and last thing I'd mention really is the other thing that's driving the increase in threat is just the way that critical infrastructure is evolving itself. So, you know, across all of the threat, the sectors of CNI, there's a massive increase in cloud adoption.

[00:04:32] And there's huge amounts of interconnectivity and interdependence in those systems. And that opens up much wider attack surfaces that really are not just information technology, but now operational technology, particularly in that critical infrastructure space. And so once you see all of that, why would it be a target?

[00:04:54] So, you know, from an attacker's perspective, you know, this opens up massive opportunity for disruption, for economic impact if you're at that nation state level. But from a cyber criminal perspective, the financial gain opportunity from being able to deploy ransomware or cause that kind of disruption is very clear and evident.

[00:05:17] So I think it's a combination of the opportunity is growing and more able because of the threat surface widening. But then also the motivations are very much in sharp relief at the moment. And another big stat in that report, I think it was 42% of critical infrastructure organizations have reported data breaches. So what are the most common types of attacks that you're seeing here?

[00:05:45] What are the implications for the stability of essential services in everything from energy and utilities and all those areas that we take for granted? Yeah, we're seeing all sorts, really. I think nearly a quarter of those reported have fallen victim to some form of ransomware attack, which is very clearly the most common. And indeed, some people are resorting to paying those ransoms. And that's still going up and we're still seeing increases.

[00:06:14] And often those issues begin with some sort of a kind of phishing attack to actually gain access to things. And, you know, I think we should all be concerned as citizens and as consumers of the critical national infrastructure more broadly about the advances in the way that phishing attacks are becoming more complex, more capable.

[00:06:34] And the use and the combination of, you know, the artificial intelligence side of things, social media, stolen credentials and that sort of thing are all adding to that threat vector. Clearly, we still see denial of service attacks, the man in the middle attacks. We're increasingly seeing evidence of harvest now decrypt later.

[00:06:56] And I'm sure we'll come on to talk about the subject of quantum cryptography and post-quantum cryptography in a short while. But we're seeing all of those sort of things as well. I think the last thing from the more of the threat side of things and the data breaches is that almost a third of what critical infrastructure organizations experience is around that human aspect again. So it's the insider threat, whether that's malicious or not.

[00:07:25] It's still the human that is on top in terms of the leading cause of attacks. And that is in some ways being helped and assisted by multifactor authentication, adding privileges into accounts and things like that. But that is still a big problem. I think you asked about the implications in terms of the stability of those essential services.

[00:07:48] And I think that in terms of the implications, there are the very obvious and direct ones that I think most people listening will be aware of. And that's the financial impact, you know, the actual loss of service, the reputational damage done by security breaches. But increasingly, we have to consider the knock-on or the cascade effects of successful attacks anyway.

[00:08:13] And that's particularly true when you're considering the critical national infrastructure, where the increasing levels of integration and interdependence between those critical infrastructure sectors can lead to some of those quite profound cascade effects, where one sector, perhaps an attack on the energy sector, might have far-reaching consequences in other parts of the critical infrastructure.

[00:08:38] A really good example of that was it was driven by lightning strike, actually, back in 2019. So it wasn't actually a cyber attack, but it goes some way to explaining what I mean by a kind of cascade effect. And that was when the electricity transmission system was interrupted for what was a very short period of time because of a lightning strike.

[00:09:00] And the cascade from that meant that some of the smaller generators immediately connected to that transmission network, immediately disconnected from the grid. And then simultaneously, a couple of the larger generators also disconnected. That caused the frequency in the system to drop, the mains frequency. And that automatically then caused other generators to disconnect and so on and so on.

[00:09:24] And it eventually ended up with a huge amount of people having power outages in the million, or always more than a million. But what I mean then by the cascade effect was then the transport network was ground to a halt as well. And that's because all of the trains in that part of the country were running on, they were electrification trains. So there was over 500 services over the next two days were affected by that single lightning strike.

[00:09:51] Now, if you just took, for example, if that small outage in the transmission network could have been caused by some form of a cyber attack, you can then see very quickly and easily what I mean by a cascade effect. And the interdependencies between these sectors is growing almost daily as they depend on data, information. They take actions based on information in other sectors.

[00:10:17] And that is adding to the real risk and challenge that we're facing in critical infrastructure. Wow, it's incredible and quite scary. I mean, from the outside looking in, this digitalisation of smart grids feels like it's almost introduced new efficiencies, which is great, but also expanding the attack surface, all vulnerabilities. So I'm curious from what you're seeing, how has this increased connectivity heightened the risks?

[00:10:42] And what would you say are the biggest vulnerabilities that are most concerning for critical infrastructure? Yeah, I think the first thing, let's not get too doom and gloom. And it's an occupational hazard for me, but let's talk about the positives. You know, the only way that we as a country will get to our net zero targets and support the electrification of transportation and all of those other things around putting 20 million electric vehicles on the road by some date in the future

[00:11:11] and reduce our dependency on gas for heating. The only way we can do that is to introduce this new level of smartness into our electricity distribution, consumption generation. And without that ability to push and pull energy around the grid and manage that demand and create the flexible supply, there's just simply not going to be enough electricity in the system to support the peaks and be able to manage all of that.

[00:11:37] So smart grids are an amazing capability that we absolutely need as a country. But the challenge is that as and when you interconnect all of these things, you do create this larger surface area. And you also introduce this challenge that there's going to be a mix of legacy. There's going to be a mix of new. There's going to be a mix of cloud-based, on-prem-based, et cetera, et cetera. And all of this needs to be managed together.

[00:12:05] And historically, there's been some really good process and progress on the information technology, so the IT aspects of these systems. But for me, the increase in focus now is needed on the operational technology that makes all of this stuff work. So the operational technology is really about putting your head where it hurts, really. You know, it's about making sure that all of the valves and switchgear, all of the things that they bridge that cyber-physical boundary,

[00:12:35] they need to be able to be as resilient as everything else in the system. And so, you know, this attack service is not just a traditional CNI infrastructure either. It extends right into your home. Think about your smart meters and the tariff management that you might want to benefit from. You might want to benefit from using your car as a battery and pushing energy back into the grid at some point. And therefore, it's also interesting, again, for the same reasons as the first question,

[00:13:05] it's interesting for criminal activity because there's money to be made out of manipulating tariffs and that sort of thing. But I think increasingly, as well as the CNI owners and operators themselves having to deal with this digitalization challenge, it's also pushing now into the supply chains from them. And we've seen evidence in recent months of what can happen when some of the supply chains don't either follow the right sort of processes and practices.

[00:13:33] And that's why the NIST directive is being extended as well to try and include not just the critical national infrastructure owners and operators, but also some of the suppliers into that world as well. And I think the combination of those things will actually start to manage these risks. So attention to operational technology, attention to the supply chains, attention to managing that threat surface,

[00:13:58] that they're all going to have to come together to work and reduce the vulnerability and increase the resilience. We've talked about the impact of a cyber breach on critical infrastructure, how it can be severe, but I agree with you, we don't want to get too doom and gloom. And as a solutions, not problems kind of guy, what kind of measures can organisations take to ultimately be more proactive in strengthening their resilience and protecting against these high stakes scenarios to ensure that they don't happen?

[00:14:28] Yeah, it's a really interesting challenge. And, you know, you're right to mention it because these kind of cascade effects, they are quite profound. And these are the things that certainly the National Cyber Security Centre and even the regulators are now looking at so that we can actually work together to try and build this resilience into the infrastructure.

[00:14:52] One of the key challenges, though, is we talk about, you know, integrating things together, creating this interdependence and everything else. What it really means is we're at almost a bit of a challenge point and a need for an almost an architectural paradigm shift towards security and resilience moving towards sort of zero trust concepts. So what I mean by that is that traditionally systems kind of have boundaries that you could protect.

[00:15:22] Okay. And nowadays, and with critical national infrastructure in particular, it's becoming increasingly, if not impossible, to define a boundary to protect for any of the systems that operate as that critical national infrastructure. And so what we're having to look at now is an architectural move towards information-based security and zero trust architectures

[00:15:46] where everything within that set of connected things that makes the, let's just use the energy sector work and the smart grid work, they all need to share information with each other, but they all need to do that on the basis of some level of trust that's created between those machine entities. And everything therefore needs to have a digital identity. And those digital identities then need to exchange data with other things,

[00:16:14] but only for the time that they should be exchanging data with them. And only once they've built a level of trust between themselves to be able to exchange that data. Now, I can't go into the sort of full depths of zero trust architectures and the implementation of them right now. Now, but suffice us to say, you know, when you can't define a boundary and protect that,

[00:16:37] the only way of protecting all of the data in there is to move to this kind of information-based security architecture. And I think that's one of the key things that will help with the critical national infrastructure and dealing with the challenges of making them more resilient. I think the second area is back to the human factors side of things.

[00:17:00] There are very simple things that we can do to make sure that when we're designing and secure a resilient infrastructure, that we're not saddling people with 300 passwords that they have to write down is the most obvious example of that. But it's making sure that the processes, the policies actually make sense and people can actually use them in the critical national infrastructure. And then the third area I'd pick out would be around the managed detection and response,

[00:17:30] but particularly for the operational technology side of things again. There's a lot of technology and capability out there in the IT world, looking at security operations centers and managed detection or response. But I think there's still more work to be done when that moves into the operational technology that makes the critical national infrastructure work. The response and recovery, you know, there's a raging debate about, you know, is OT different to IT?

[00:18:00] Who should run it? Who should be doing the monitoring and detection? The bottom line is somebody's got to do it. And the responses and the playbooks for operational technology where you're running perhaps a high-pressure gas network or the high-voltage transmission network has to be very different to the way that you would perhaps deal with an information technology or an enterprise IT challenge where you can easily roll out patches

[00:18:28] or you can quite easily, frankly, switch it off and on again. And that's not an option in the operational technology space. And so I think more work to be done in terms of making sure that we build the resilience in via zero trust. We make sure that the people can operate it in the way that it was intended by attending to human factors. And then we make sure that we can manage, detect, respond to,

[00:18:54] and recover from any incidents that might occur in that operational space. And in, I think, 10 years of recording this podcast, 3,000 interviews, it seems I've been hearing how humans are the weakest link in cybersecurity for as long as I can remember. Sadly, your report indicates that human error remains a leading cause of cloud-based breaches. So, again, anything you can share on what companies could take to address this issue,

[00:19:22] particularly when it comes to enforcing things like multi-factor authentication, managing insider threats to ensure that we're not having this conversation again in another 10 years. Sadly, I probably think we will be still having this conversation in 10 years because the human mind has infinite capacity to try and work around things, no matter how good or easy you make it. So, I suspect that the nature of the beast, so to speak,

[00:19:49] will mean that we will still be talking about the human aspects of this for many years to come. But I think the real challenge and the real steps that we can take to try and make things better is one, in the kind of human factors-related design of these systems and the way that we operate them in the first place. But I think the secondary thing is very much around the training and awareness of people,

[00:20:17] and that extends into actually exercising against some of these attack and defense scenarios. There's no substitute for experience, in my view, and training, awareness, and exercising from the top to the bottom of the organization is absolutely essential. So, it's not just about people in the security operations centers. It's about people in the engineering control rooms.

[00:20:44] It's about people who are actually going out and making changes to the critical national infrastructure, whether it's buried in the ground somewhere or up a 300-foot mast. And even the people in the C-suite, so the executives in the ballroom, all need to be engaged to understand what a security and cyber incident looks like and then how to manage it to a sense where the business or the critical national infrastructure owner

[00:21:12] or operator can recover from it. So, that awareness and training is absolutely critical. One of the things that we've done to try and bring this home is, in terms of awareness, we've spent some time building some scenarios in cyber ranges and things like that. And it's amazing the response you get when you ask somebody to go and plug a smartphone charger into a piece of operational technology,

[00:21:41] only to then show them how they've just injected a piece of malware. They've allowed a complete Wi-Fi connection that's uncontrolled, and they're doing keystroke monitoring and everything else, all from a smartphone charging cable that looks like any other smartphone charging cable but has a load of technology and everything built into it that means that it's effectively a one-stop shop for a would-be attacker

[00:22:09] to get access to that operational technology. All of a sudden then, the awareness changes and the willingness to do things about it changes. And it's all because of knowledge, understanding, and as the clues in the title, it's about that awareness that these things exist. And it's quite a powerful concept. Such a cool story and use case there as well. And when I was doing a little research, I also learned that TALIS has got this cyber resilience lab

[00:22:38] that tests smart grid technology against a wide variety of different cyber scenarios. So without revealing any harmful secrets out there, are you able to give us any insight into the kind of testing and simulations that you conduct and how this helps develop that more robust incident response plan? Yeah, I'd be delighted to. And it's not just smart grids. It's all sorts of different operational technology implementations

[00:23:05] that underpin the critical infrastructure. But yeah, the Ebber Vale site's a fabulous facility. It's been developed in partnership with academia, industry, and the Welsh government. And it brings together, I think, a unique combination of research and development activities, a really comprehensive cyber range, control rooms, security operations center facilities, along with real world reference facilities and physical operational technology assets.

[00:23:35] So it's a pretty unique environment. And it's everything that you need to be able to test, to train, and to exercise critical national infrastructure at scale, and even be able to do that across sectors to look at some of those cascade effects. It's the only facility I'm aware of that provides this kind of real hybrid physical cyber environment and that integrates a synthetic range with that real world OT reference kit.

[00:24:03] And for training and exercising, this means that we can run events that have everything from, you remember back to my earlier comments about the training and awareness and making sure that it's from the top to the bottom of the organization. And we can have people from the boardroom, from the operational control room, from a security operations center, and the real deployed infrastructure all under one roof.

[00:24:28] And the power of that is being able to see how all of those aspects of a cyber incident interact at a scale when real live malware is released onto real equipment. The acceleration of learning and the advancement of learning across the board of those people is immense. And that organizational learning helps also with operational technology playbook development,

[00:24:58] control room responses, and the usual sort of deployed equipment management as well, because ultimately at some point you have to do something to remedy the problems. And then the final benefit really comes from the ability to test new stuff. You know, you need a safe environment to be able to test new vendors kit, evaluate research and development outcomes and things like that.

[00:25:24] So, you know, if we're ever going to get to the point where we can claim some, you know, real improvement in the resilience of operational technology in that critical infrastructure sector, we have to be able to test these things at this kind of scale. And we have to be able to really test them with live malware in really representative environments. And that's what we can do there.

[00:25:49] And something else I'm reading more and more about is the concern that quantum computing poses in an emerging threat to encryption security, if it breaks encryption, for example. And yet in the report, I was interested to read that I think it was half of those surveyed organizations, only half of them are preparing contingency plans. Why do you think there is a gap in readiness? And what should critical infrastructure providers be doing now to address the quantum threat?

[00:26:16] Again, I don't want to have that big, scary headline about the quantum threat, but anything they should be doing to prepare. It's fascinating, isn't it? And it's one of those areas where everybody will say, or at least two thirds of people will say that they're worried about the risk of that encryption compromise and the co-op cap. They get fundamentally the harvest now, decrypt later threat and concept. But the thing that's making people not reluctant, but certainly they're not moving quickly,

[00:26:46] is it's really not helped by the fact that academics, engineers, everything that you read has got somewhere between three and 30 years for the realization of a sort of quantum machine. And that's not helpful in people targeting their budgets and being able or wanting to do things quickly in this area. So I really don't think that necessarily we're helping ourselves.

[00:27:13] My view is that the only important thing is, is it's kind of a matter of when and not if this will happen. And when that sort of race for quantum supremacy, it's going to be influenced by, you know, the orders of magnitude of qubit improvement and that sort of thing. And the tolerance of errors and there's all sorts of research going on, but it's going to happen. Okay.

[00:27:38] And therefore we really need to start thinking about what we're going to be doing to counter it. And in critical infrastructure, this is particularly important because that there are some other sectors, defense is another good one, government's another good one, where information that we are putting into the wild today will still have relevance in some way, shape or form in 10 years. 15 years, 20 years. And so it kind of doesn't matter which one of the academics you believe in terms of quantum

[00:28:07] machines being or breaching that threshold of quantum supremacy within three or 30, it's going to be important. So what can people do now in terms of trying to go on that journey? And I think it begins with looking at what you've got. Okay. And it's no more complicated than that. I think the owners and operators of CNI need to understand and do an assessment of their

[00:28:35] current inventory, understand where their critical assets are, what is going to be important, what is still going to be in the ground in 20 years, what information is still going to be the crown jewels that we need to understand. And what is the cryptographic usage of today? There's then a whole process of education and awareness again. Again, we have to make sure that the people in the organizations are aware and understand the

[00:29:02] impacts of this threat and also the actions that are going to need to be taken. Transition planning. There's no big bang answer to this. So my advice to anybody would be to start thinking about that longer term transition plan, work out the priorities for the organization and create that timeline that allows you to protect the things you really need to and want to protect first.

[00:29:31] And you're going to have to go down a hybrid approach for a period of time. You know, there's going to have to be post-quantum and pre-quantum cryptography working at some level in harmony. So that's going to have to be part of that transition plan. And the other thing is kind of try. Get some pilot projects. Start small. Do things that can be managed and start to experiment and make sure that there's organizational

[00:30:01] understanding and learning achievements as well. Because that needs to be evaluated. The implementation of post-quantum cryptography is every bit as important as the actual algorithm itself. And, you know, some of the recent press articles around vulnerabilities, so-called vulnerabilities in the algorithms for post-quantum cryptography, they were nothing to do with the algorithms. The algorithms were sound. It was the implementation that was leading to the vulnerability.

[00:30:30] So people have to get comfortable with that and start to actually do it. And then it's about just continuing to monitor and improve the whole sort of process and continue to do the updates throughout the system. So I think there's quite a stepwise approach that people can start to understand and get to grips with. But it starts with, you know, understanding what you've got. I can't emphasize enough that, you know, that the first step of any journey is actually

[00:31:00] understanding where you are. And that's never been truer than for the post-quantum world. And another area I'd like to discuss just finally here, and that is in the report, it highlights the growing concerns over the complexity of managing cloud security for critical infrastructure. And if I go back, let's say last year, there was a lot of talk about going from on-prem to the cloud and hybrid cloud and managing those. This year, I'm hearing more and more about public cloud, private cloud on-prem to manage

[00:31:28] AI projects, et cetera, further complicating things. So any advice you'd give to organizations struggling with the shift to cloud environments, wherever they may be, just to ensure better data protection while navigating this transition to AI that we're seeing just about everywhere now? Yeah, that's a massive question. I don't think we've got enough time if we could spend another hour on it, to be honest. But I think you're right.

[00:31:54] And let's be frank, moving workloads to the cloud offers an enormous amount of benefit to many organizations. And particularly in the enterprise IT area, that transition is already largely happening. I think there's a lot of new considerations if you start thinking about pushing the control and management of operational technology through cloud workloads.

[00:32:22] I think that is a cause for concern. Again, we probably don't have enough time to cover that in detail today. But the one thing I would say that is a universal truth is the thing to think about is the protection of the data. And whether you put all the workloads in the cloud or not, there is still a decision to be made, particularly for critical infrastructure around who and how you manage the cryptographic

[00:32:48] keys for encrypting and managing all of the data and the networks and everything else. And understanding how sovereign do you need that to be? Do you need to have on-prem key management for your own peace of mind in that sovereign sense? Do you want to have somebody else manage that on your behalf but on sovereign soil? And those are the kind of key questions to make sure that at least you have some degree

[00:33:16] of control over all of your important data. And then you can hopefully get the benefit from pushing the workloads into the cloud, but still have the security and comfort and resilience of managing your own keys. So many great insights shared from you today. And food for thought for business leaders. I think we will have to get you back on next year and discuss some of those much bigger topics that are only going to grow next year.

[00:33:43] But before I let you go, I want to take a break from talking about Talos, the rapport and technology and find out a little bit more about your story. Because I think none of us are able to achieve any degree of success without a little help along the way. So is there a particular person that you're grateful towards? Maybe they saw something in you, helped you get you where you are? Or someone we can just give a little shout out and a thank you to? Who would that be? Yeah, do you know what? This is something that's quite dear to my heart because it's a guy called Cliff Ezekiel.

[00:34:12] And I'll be honest, I don't actually know whether this guy is still alive. But he was my apprentice manager when I was a fresh-faced 16-year-old. I'd left home, joined the Ministry of Defence. And he was the guy who helped to steer all the apprentices. And he worked tirelessly to give us all of the opportunities and experience all the aspects of the workplace. That, frankly, if he hadn't taken all of those interests

[00:34:42] and given all of his time to help develop me and all of the other apprentices all those years ago, then I certainly wouldn't be where I am today. And I guess neither would any of the other apprentices that were in similar cohorts. And that's something that I really take to heart now because we've got amazing apprentices now. And I always remember the benefits that I got from it. And the one thing that I'll always be thankful for is this guy, Cliff Ezekiel,

[00:35:11] it was his name, for being that apprentice manager and taking that interest. And now it's kind of my turn. And the apprentices that we have going through the system never cease to amaze me. And I do go back to all those years ago and where it all started. Oh, man, what a beautiful answer. And I think the fact that we've just spent 40 minutes talking about an incredibly complex series of topics and the fact that we wouldn't be having this conversation today

[00:35:39] without somebody like Cliff that invested a little time in you and helped you get you where you are today. Probably blissfully unaware of the impact he's had on you and your career. I think it's so important to give those people a shout out. So, Cliff, I hope you do get to hear this. But anyone listening wanting to check out the report and everything we've discussed today, reach out to you and your team, et cetera, where would you like to point them? Yeah. So, I mean, the LinkedIn route is always a good one.

[00:36:08] So, tell us cyber solutions on LinkedIn or my own page. And then the tell us website contains everything you need to know and then some more that you probably didn't. So, yeah, I'd point people in that direction. So many big talking points, as I said a few moments ago, from the future of UK energy supplies, how their stability and resilience depends on robust smart grids, cyber security, and also some of the big ways that business leaders

[00:36:36] and people working in this area can prepare for this and some of the threats that are out there as well. No need for doom and gloom. It's solutions, not problems. So, just a big thank you for sharing that with me today. No, thank you very much, Phil. As we conclude our discussion with Tony on the critical cyber security measures needed to protect our infrastructure today, it's evident, isn't it, that the stakes are high and the challenges are complex, whether that be human error to the advent of quantum computing.

[00:37:05] The vast array of threats requires a multifaceted approach to combining technology, policy, and education. And it's also about having a proactive mindset to cyber security rather than a reactive mindset. But I'm curious, from where you're working now, your organisation, your enterprise, your life, what steps do you think are most crucial for enhancing cyber security resilience? How can we as individuals, and indeed organisations,

[00:37:32] adapt to the ever-evolving landscape of cyber threats? As always, share your thoughts, email me, techblogwriteroutlook.com, LinkedIn, Instagram, just at Neil C. Hughes. Let me know. Maybe we can learn together how to fortify our critical systems against the cyber challenges of tomorrow. But tomorrow is a completely different topic. I know you want me to give you a few hints, a few teasers, but that's not how we do things around here.

[00:37:59] All I can promise you is there will be an episode waiting in your podcast feed tomorrow, and I'll be back talking directly into your ear balls across the internet. Bye for now.