In this episode of Allies in Innovation, host Mikkel Svold talks with Samant Khajuria, VP of Cyber and Quantum at Terma, and Jeffrey Saunders, CTO and Strategic Advisor at Denmark's National Defense Technology Center.
They break down how governments, researchers, and the private sector work together to tackle cybersecurity challenges. From securing supply chains to tackling real-world defense threats, the conversation gets straight to what works – and what doesn't – when safeguarding national networks.
Listen in to learn how collaboration, trust, and constant vigilance are shaping the future of cyber defense.
In this episode, you'll learn about:
- How collaboration strengthens cyber defense across industries.
- The critical role of supply chain security.
- Key certifications for robust cyber defense.
- The intersection of IT and OT in cybersecurity.
- How trust and verification impact national defense.
- Insights into future collaboration for cybersecurity innovation.
Episode Content
00:11 Introduction to Cybersecurity in Defense with Samant Khajuria and Jeffrey Saunders
03:24 Building Trust Within Your Supply Chain
08:18 Ensuring Compliance Across Vendor Supply Chains
10:21 Integrating IT and OT for Enhanced Security
15:42 Collaboration Among Governments, Research, and Private Sector
17:36 Education and Knowledge Sharing in Cybersecurity
29:25 Future Collaborations and Building Trust Across Borders
32:59 Final Thoughts on Trust and Verification in Cybersecurity
Production
This podcast is brought to you by Terma.
This podcast is produced by Montanus.
Episode Transcript
Mikkel Svold (00:11):
Welcome back to Allies in Innovation, and today we, once again, talk about cyber security in defense, and actually, also defense as a broad term as a national defense. In this episode, we'll dive into how collaboration and what thoughts people should have about their supply chain, how you can strengthen your cyber defense with collaboration and working together. Also, look at governments, we'll look at research institutes, and of course look into the private sector, and what role innovation has when it comes to cyber defense. Again, with us is the good Samant Khajuria, who is the vice president of cyber and quantum at Terma. Welcome to you, Samant.
Samant Khajuria (00:53):
Thank you.
Mikkel Svold (00:55):
And with us, we also have Jeffrey Saunders, who is the chief technology officer and strategic advisor at the National Defense Technology Center here in Denmark. Welcome back to you as well.
Jeffrey Saunders (01:05):
Thank you, Mikkel.
Mikkel Svold (01:06):
So, I nearly couldn't stop you before we turned on the microphones, because you're so onto this talk about supply chain and supply chain security. I think that's a good place to start, because everyone has a supply chain. No matter if you're a research institution, no matter if you're an airport, no matter who you are, even of course the national defense themselves, the military, of course they have supply chains. What is it with those supply chains that is interesting when we talk cybersecurity? I don't know. Samant, will you start this one off?
Samant Khajuria (01:43):
Yeah. I can start with that. I mean, it's a very broad topic when we start going into supply chain, because the supply chain comes from the components at the electronics and the assets that we use in order to build a system and finally build system of systems. Supply chain also comes at the software level, so for example, as you can see today, we're in the software development. Software has become quite a big part of the products in defense that we make, so the third party software's, third party libraries, and the elements that has been used, so everything is the part of the supply chain. These brings quite a lot of vulnerabilities in them, so how do we handle that? Some vulnerabilities, some exploits are unintentional and some are intentional, and it all starts with the supply chain. This is the reason why we see lots of certifications, lots of approvals and art creations from the government institutions, are very adamant about the supply chain security of the system.
Mikkel Svold (03:04):
Jeff, just in the last episode, you mentioned trust as a huge factor in keeping a national defense. In the last episode, we talked mostly about what cyber threat is and how it developed, but this trust thing just came up in the end. How can you make sure that you can trust your supply chain?
Jeffrey Saunders (03:24):
Well, I mean, this is one. Trust, but verify. You need a verification process in that.
Mikkel Svold (03:31):
Gotcha. Yeah.
Jeffrey Saunders (03:32):
And one of the things that has come up, and this has come up in a number of factors that have now been taken into the questions about the various standards and certifications that are required, is ensure that you have processes in place for verifying your vendors, understanding their supply chains, and in understanding how they address the security of their operations and how that impacts you, because ultimately you operate an ecosystem, a system to system. Every business, every institution is reliant around its ecosystem around it, so what processes do you have to ensure that your ecosystem has the necessary security to keep you secure? That has a whole number of processes.
(04:25):
It's about vendor verifications. What approaches do they take to assessing and mitigating the threats that they're facing? Then, how do you address that? So, you have number standards. Samant was talking about the IEC 62443. We're talking about the NIS2 frameworks, the DODC and MC. There's a number of these different standards, and they all pretty much start with a talking point about or point of discussion and departure about what are your vendors, how are they approaching cybersecurity, how are they assessing the threats and vulnerabilities, what are their rights and obligations and responsibilities to inform you when they've had a breach so that you could take actions to mitigate the exposures to you? These are all things that are becoming, have already become, and will increasingly become important in everyone's operations.
Mikkel Svold (05:30):
And Samantha, the certifications that Jeff mentions, I'm not familiar with those, but are they certifications that you meet a certain level of coding quality, or what is that?
Samant Khajuria (05:46):
So, there are different levels of certifications and different things, and today, Terma is probably looking into all of them, so for example, when we are talking CMMC certification, which is Cyber Security Majority Model Certification, this is a requirement or a prerequisite in order to do business with the US Department of Defense. So, this came in here some years ago, and the point was to have the development environment of the companies being clean and cyber hygiene, so that's a certification at the infrastructure level. Then, we have certifications, like IEC 62443, which is very really-
Mikkel Svold (06:33):
I'm really impressed how you can just say that without any hiccups at all.
Samant Khajuria (06:38):
We work with that. That certification is with something that goes directly on the assets on the operational feet. So, it's a civilian certification, as in the previous podcast we talked about critical infrastructure, wind farms, and so on, so this is the certification that is being used there for cybersecurity, our cyber frameworks, which where a big chunk does cover your supply chain part of it at the hardware level, as well as at the software level of the system that has been developed, or the product or a service that has been developed, and then shipped to our end user or to the customer. Then, similarly, we have in US for the critical infrastructure, something called NERC SIPP, which covers exactly the same thing what we cover in 62443, and today, at Terma, we are supplying to all these end users and customers, so we need to abide by these certifications.
Mikkel Svold (07:49):
And now, talking about supply chain and collaboration, because you have, at Terma and all companies, obviously, they have a number of sub vendors delivering different components. It can be physical components, but it could also be software components, delivering that to you. How do you make sure that those certifications that you want to meet, they dribble down throughout the entire supply chain? Because that, to me, seems like a huge puzzle.
Samant Khajuria (08:18):
It is a huge puzzle, because when do we call something that should comply to this? So for example, if we take an example of NIS2, which is one of the very big topics all across Europe, as well as in Denmark, and we are part of that in Terma, and been supporting NIS2 initiative at a dense industry level and other levels, where we have given our input also towards what does NIS2 mean for us in that sense, or what would it mean? So, there's a group of people that has been working on that, and NIS2 says that you look into one level down your EU supply chain, and as you mentioned that, we need to figure out when do we stop? Because if we take any hardware, it starts with the capacitors, registers, and so on and so forth until when it becomes a system that needs to be looked into and how far down we have to go.
Mikkel Svold (09:28):
Gotcha. Jeffrey, that must be something that you meet also, that doubt on how far to go. I'm thinking, in your role as a strategic advisor, are people not having a hard time figuring things out?
Jeffrey Saunders (09:43):
I mean, yes, because again, we start talking about one thing is a technical challenge of interacting systems and interacting vendors, and we had to think about our organizations. One thing that we're talking about with the cyber threat is it's typically talked about in an IT environment, but it's not an IT environment only. It's an OT environment. We interact in the physical space, so we take the buildings that we're operating in.
Mikkel Svold (10:18):
What is OT? What does that mean?
Jeffrey Saunders (10:18):
Operations technology. Sorry.
Mikkel Svold (10:20):
Got you.
Jeffrey Saunders (10:21):
So, it's different types of programming software, designed to operate heavy machinery, critical infrastructure, devices of medical sorts, and things like that, that have their own programming language in a very layman's description of it. Then, IT technologies that we most often think about when we think about the cyber threat of our computers, networks, and things like that, so they're two different worlds, and when you speak to most people who think about the cyber threat, they think it's us and IT issue, without thinking about all the other components that we rely upon that are OT, which Samant was talking about in the previous podcast of the signals at an intersection for determining traffic. That's not IT. That's an operations' technology solution.
(11:12):
If you think about the buildings that you go into every day, you start talking about the access control, the elevators, the heating systems, and cooling systems. Those are all operations technologies, subways, trains, things like that. We've connected them into networks, but many of these technologies were designed to operate on a 30, 40 year life cycle. When they were originally put into place, they were never intended to be hooked up to a network, but there's been a lot of operational drivers for efficiency. We have challenges with the labor force and having enough skill sets, so we try to do remote anomaly detection on these devices, do preventative maintenance so we can optimize operations as much as possible. That's been great for an economic efficiency perspective, but it's created a lot of vulnerabilities that we then have to assess.
Mikkel Svold (12:11):
It's actually really interesting that you say that because I'm thinking OT, as in IoT, I know that's not the abbreviation in IoT, but they're kind of connected, right? And I'm also thinking, I had a talk with Avinor, which is a Norwegian airport company that Terma is also delivering radars to, and one thing that struck me was that some of the technology they're using there, because Norway obviously has such a huge landmass. It's not huge, but it's widespread. So the airports, the outskirt airports of Norway, some of them are actually remote-controlled. The tower function is remotely controlled, so you'd basically have some people sitting in, I don't know where, but let's say Oslo. They are looking at just huge screens, mimicking what an airport tower, control tower would look like, and then they're actually well remotely controlling the airplanes. Is that also what we're talking about? I know this might actually be a bit of an extreme example, but...
Jeffrey Saunders (13:18):
No, but I think it's a really good example of how the IT and OT worlds interface with each other, because that is an example of multiple technology layers that are working together with technologies that have different expected lifespans. So, on the one end, you have your technicians that are walking around the buildings. They have devices that are expected to last two years time, typically, that are interfacing with operations technologies that have 30-year lifespans with different network equipment that has maybe 2, 5, 10 years life expectancy, and they all have different degrees of certification.
(14:04):
They all have different vendor chains and all that ecosystems of standard certifications have a technical challenge of operating together, but then on a security management side, making sure that all the vendors that are supporting all those variety of solutions actually have their security protocols and standards in place. That's the challenge that is facing people who have responsibility for, and I like to call it more enterprise security, because you have a physical component and then you have the digital cyber component, and making sure that there's an interplay. When I spoke in the previous episode, that you have this interplay of expertise that's, on the one side, dealing with access controls, and who should have access and a lot of those HR elements. Then, on the digital and the technical aspects, and making sure that things are up to scruff, and then Linking into the supply chain of vendors who are delivering all those solutions to those companies. That's the challenge at hand.
Mikkel Svold (15:14):
Now, I wanted to just start off with talking about the supply chain security, because that was basically where our little talk before turning on the microphones were, but there's also collaboration and collaborative efforts going on between governments, research institutions, and of course private sector people. Can you maybe talk into that a little bit, and what is happening and why is it important?
Jeffrey Saunders (15:42):
Well, I think, as you could already hear, the complexity of challenge is so great, that there's no one, single, entity that has the ability to continue with this challenge, so you have government, oftentimes, are the ones helping or setting the rules and regulations. The private sector is also agreeing to standards that work, and these are the acceptable standards for getting some of the things around the elements around 62443, as an example of one of them and to name several others, but then also on the research institution side, what are the next technologies or the next phases of technologies?
(16:28):
One of the things that they're looking at about what are the new emerging types of connection technologies, whether the new Cryptographic standards that could be coming up, whether the new aspects around, if you're talking about the socio-technological aspects of how do organizations and individuals interact with their technologies, and these are all areas that need to be researched and understood, but then there's also the education component. How do we educate the next generation of cyber security specialists? But then also the broader community of what type of digital competencies do they need to have, and a broader aspect, the users of this? You need that interplay to actually start talking about, how do we make our societies more secure in the cyber security context?
Mikkel Svold (17:27):
And how does that, Samant, representing a private company, how does that pan out in real life? What do you do?
Samant Khajuria (17:36):
Yeah, sure. I mean, we do our bit, in the sense that we are in close touch with many of the research institutions, and we are in close touch with many of the universities at the Danish level, also at the international level, and at least from a Danish perspective, what we do is, as we have talked for past five minutes about the operational technology, OT part, five, eight, ten years ago, OT didn't existed almost. It was only in the factories, so basically, operational technology was something that was the PLCs that are in the factories for handling the machinery, and so on and so forth. Today, operational technology is something baseline or sentiment for when we talk about smart cities, smart hospitals, smart defense networks, multi-domain operations, and so on and so forth, and the list goes on and on.
(18:36):
If, at the university and at the research level, we don't bring that knowledge and know how the future workforce should look like, then there is a gap, and then there is only scratch in that sense. This comes quite often that things are so fast-paced, that making a difference, if we make a difference, then to see the fruits of that will take few years before we can see that. That is one of the things from a cyber perspective, what we have discussed earlier, also previously with Jeff, that we should not be seeing cyber only as a discipline. In the previous episode, I talked about the horizontal and the verticalness of the cyber. This means that cyber needs to be embedded in many different types of research, types of education, rather than having its own, singular domain.
Mikkel Svold (19:37):
And is that development on its way, Jeff?
Jeffrey Saunders (19:41):
Yes and no. I mean, there's aspects around, there's the need and the requirement, but there's the verticality of it, and there is an element where there's more and more movement toward the horizontality of integrating it into more and more things, but this is a mindset shift that takes time to work through. I mean, one of the aspects around humans is that sometimes we're slow to recognize and adapt to change. That's one of the things that, when we think about, "How do we contend with this issue?" One thing is how do we educate the next generation, but how do we re-educate and up-skill people on an iterative process? That's some of the things that we're having to contend with.
(20:25):
One of the things that I think we didn't touch upon it before, that's a difference between IT and OT, is that operations technologies are the things that we typically interface with and have a great dependence upon, but there are also elements where, if you have a data breach previously, that was privacy intrusion, it had a disruption to operations, when you get into operations technologies, you're actually getting into some elements that have impact on direct human life that can cause explosion, physical damage. If you hack into medical devices, things like that, you could directly kill people. You could actually impact human life, which impacts to the degree where it could lead to the loss of life. That was in a much more intense and impactful way than previous types of what people typically have thought of in an IT data breach, so this is a whole different level of criticality.
Mikkel Svold (21:31):
Yeah, because when you say IT data breach, often what I would mostly think about is that has economic consequences. The data breach at Maersk, or any of the other big players in the market, they've probably all been exposed to data breaches of some sort, but it just comes with a huge financial cost, where now with OT breaches, I don't know if that sentence makes sense, but OT breaches, we are talking direct impact on human lives. I'm just wondering whether, in defense, I think that is one of the places where you would expect that development is or that defense officers, they are looking at the development with a really sharp eye, whereas if you go to other parts of critical infrastructure, you mentioned hospitals yourself, it could be energy parks, it could be all kinds of that sort, do you see the same attention to cyber security, or is it more viewed as in, "Oh. If we have the money, we'll add it on"?
Samant Khajuria (22:39):
I mean, it is a little bit of a catch-up game. I would say that the overall defense is very serious about the cyber part of this, and there's no doubt about it, but there is a part where we are evolving digitally so fast, that the cyber part of it needs to catch up, because cyber cannot be put on top of things as an add-all, and whenever we have done that, we have created complex systems with lots of overhead and usually quite expensive, so it's like making legacy system, talking to a state-of-the-art system, and that becomes quite complicated.
(23:25):
So, there is quite a lot of catch-up there that we need to do. Having said that, I know that at least Terma is involved in one of the projects at the European Defense Fund, where we, on across Europe, we are building cyber-physical test labs for operational in defense. This means, where we are doing OT test procedures, having the right way of right tools to test the assets, like a drone, for example, in defense, like a radar system, like a 5G network, or even a tank, for example, that we should be able to test this with this. The good thing about these kinds of projects is like, all across Europe, there are 17 to 20 nations that are involved in this. End of the project, there is a pan-European consensus, how do we do the testing of these things at the European level?
Jeffrey Saunders (24:33):
I think that that's that aspect of the EDF projects are a good representation of this triple helix approach, where government or research institutions in the private sectors work together, because there's that element, when we think of research institutions, we think, "Ah, just purely R&D." Yes, there's elements of research and development, but there's also testing and evaluation, and you need that triple helix to, one, is oftentimes governments in collaboration with the other partners, set a mission, set a direction, set some standards and frameworks. The research institutions do the R&D and the testing evaluation to see, "Okay. What are the general directions and technologies that could work, and how do they work well together?"
(25:16):
It's a private sector that is skilled at taking that information and creating it into something scalable, and that's what's needed to happen to address these challenges, so that interplay of EDF projects, but in aspects that we're talking about between defense and also critical infrastructure, we're in the dual use space. So it's not just EDF, but it's also horizons in the European context and other research areas, because there's so many of these technologies that have dual use applications that exist both in the defense sector, and then also in the other sectors that are necessary for our critical infrastructure. In cybersecurity, we need to start thinking about that knowledge sharing around, how do we protect these cyber physical systems, which is the ITOT system, moving forward.
Mikkel Svold (26:17):
I'm wondering, does these complexities and the defense agenda, so to say, or the cyber defense agenda, does that get equal attention from all allies throughout Europe and NATO as well, or is it something that we talk about here in Denmark, and then we try and push?
Jeffrey Saunders (26:41):
No. I think it's, from what, see, and Samant can correct me if I'm wrong, this is on everybody's radar.
Mikkel Svold (26:47):
Yes, yes.
Jeffrey Saunders (26:47):
We can see, from what we see in the conflicts in Ukraine and elsewhere, is that if you don't have control of your cyber security and your cyber physical systems, then you're going to have a lot of problems operating. Now, each nation has, when we start talking about the civilian side, differing levels of the digitization of their society. So they have different threat pictures based on their degree of maturity in certain areas, but this is on everybody's radar, particularly in the defense side, particularly in the NATO side, because there's certain requirements that NATO countries have to meet, but no, this is on everybody's. This is not just a Danish push. In certain respects, we could say that, in some areas, there are other countries that are a little bit further ahead in some areas.
Mikkel Svold (27:43):
So, we should also look out for getting inspiration and ideas for innovation in other places. That's always good to know, isn't it, that you get better when you're not the best in the class, right?
Jeffrey Saunders (27:58):
This is such a complex topic, that there's nobody who's the best in class in all areas, so you're going to have areas where certain countries, certain industries, certain people are better than others, and again, that knowledge sharing, or they've had an experience that nobody else has had yet. So they've had that experience, and we were talking about, in other conversations, that we think about cybersecurity as hiding our dirty laundry, but this is an element where we had to think about, if you've been subject to an attack, sharing that information so you could protect others from being attacked in the same way, so certain countries, certain industries have been vulnerable to certain types of attack. How can we take that knowledge to protect the other sectors that haven't been exposed to that attack?
Mikkel Svold (28:52):
I'm thinking now, our time is nearly up, but I want to ask you guys, on that note, basically, what are you expecting from future collaborations? How are we to approach collaboration, both within sectors, but also across government, research, institutions, private sector, all these different kinds of sectors? How are we approaching that in the future, and what would be on your wishlist? Samant?
Samant Khajuria (29:25):
Yeah. I mean, a bucket full of wishlist here. No, I see that. I mean, sometimes this topic does get a little bit sensitive, and sometimes what people can share, what nations can share, and so on and so forth, it becomes a bit complicated in that sense. For example, I was talking about this project, what we are doing in EDF, European Defense Fund, and there, we are trying to take a federated approach towards doing things collectively and together, but one of the key challenges comes in is, if Denmark would like to test something which is classified to Denmark, will they be using the resources from other country to test their systems or not?
(30:18):
They're key fundamentals, and that goes back to what Jeff said before, trust. So, at least at the European level, at the NATO level, there needs to be a strong trust between the nations, that we can collaborate very much more better. This means that we talk to each other. I mean, not everyone needs to talk to everyone, but at least there are correct forums where information can be shared, or at least can be disseminated for key people or key organizations and key industries. Industries need to talk to each other. Industries need to be closer to their research institutions to have good, common alignment with their-
Mikkel Svold (31:18):
And Jeff, what's on your wish list?
Jeffrey Saunders (31:20):
I think that I share many of the same opinions that Samant has, and I think a big part of it will be there will be a federated approach in this moving forward, and that also requires that each of the actors in the triple helix model has a really good risk and threat-based approach to how they approach cybersecurity, and that's also on the research security side for universities as well. That's something that, just like others have been playing catch-up, that's something that we're playing catch-up upon as well and getting our house in order to contend with all those aspects, so this is an element that is moving very rapidly.
(32:06):
There's a lot of technological change that's occurring all over the place, and there's that sense-making process that needs to be done about, how do we assess the threats that we face, and then how do we develop the solutions to mitigate those threats? That can only be achieved by finding new and innovative ways to collaborate with each other from government research institutions in the private sector, and that's the things that we're working with at the National Defense Technology Center, is to identify those new approaches so that we could identify solutions, work with private sector to scale them into capabilities, and then work with government to bring them to bear and integrate them so that we can create a more secure Denmark, a more secure Europe, and a more secure NATO alliance.
Mikkel Svold (32:59):
I think let those be the last words. I think it's a really, somehow, reassuring point, that we need all the technology in the world to make sure we have a safe and cyber secure surrounding and space around us, but when it all comes down to it, it's a lot about trust still, so it's a lot about trusting who you buy from, trusting your supply chain, and of course trusting your allies throughout your country and your allied countries, and I think that's really...
Jeffrey Saunders (33:33):
But also verify.
Mikkel Svold (33:35):
But also verify. But also verify. Yeah, but the one can't stand without the other, I think. Samant Khajuria and Jeffrey Saunders, thank you so much for joining us again today, and again, to you out there listening, if you like this episode and if you found it interesting, do share it with someone else that you think would be interested as well. That could be a friend or a colleague or even a family member, if you want. That'll be really nice, and it helps us spread the words and helps us spread this agenda as well, about keeping our surroundings safe from cyber attacks.
(34:11):
If you like the podcast, give it a like, give it a share. Give it maybe a review. That will really help us as well, and if you have any comments, questions, or topics that you want us to discuss on this podcast, do reach out to us on podcast at Terma.com. That's podcast@Terma.com, and there'll be someone in the other end, trying to help you out and pass on the message to me. I think that's all we will talk about today, and I think what's left is just to say, thank you so much for listening. Thank you.