“Is it enough?” That question keeps coming back in conversations with Jaimy Thepass. Not because she’s trying to create panic, but because she has seen the threat landscape tilt in real time: away from fast ransomware-for-cash and towards long-running, stealthy operations aimed at disruption, espionage, and control over critical processes.
Jaimy is Business Development Manager at Sentyron. After several years in the private sector, she deliberately moved closer to defence and critical infrastructure again. “After four years, it felt like a good moment. I wanted to get closer to Defence again, especially with the geopolitical situation of the past months and years.”
The threat isn’t ‘money’ anymore. It’s leverage.
Jaimy spent fifteen years in Defence, in the Army, first as an NCO and later as an officer, always in the communications domain. “Everything related to IT capabilities.” The final five years of her career were in Electronic Warfare, followed by three years at the Defence Cyber Command. “That’s where my passion for cyber was sparked.” That background shapes how she looks at today’s attacks. Not as something you can manage by finishing a checklist, but as something you prepare for as if it will happen. Because it will.
What has changed most in recent years? “The biggest shift is that we’ve moved from ransomware, fast money, encrypting systems so you can demand a fee, to more advanced, long-lasting, attacks by advanced persistent threats.” And she’s clear on where those actors focus. “It’s mainly Russian and Chinese actors we’ve seen a lot recently. And they’re targeting energy, telecom, ports, water, defence.” Not because those sectors offer the quickest payout, but because they offer pressure and leverage. “You can see that geopolitical changes are genuinely impacting how these actors behave. The landscape has changed.”
Jaimy almost sounds relieved when she says it: “We’ve collectively chosen to finally accept cybersecurity for what it is.” Many organisations now have monitoring, pen tests, red teaming, and incident response in place. Teams are on standby. Processes exist. But her core point is realistic: “That still doesn’t mean you’re safe.” If you assume an attack will happen and you have response plans ready, do you actually have control? “Can we honestly look each other in the eye and say: I think we’re truly secure now? Or is everything moving so fast that it isn’t like that anymore, and do we even dare to say it?”
Why energy and OT are fundamentally different from ‘regular IT’
When the conversation turns to energy systems and OT, the difference is not theoretical. It’s societal. “Our society has to run on energy, water, and similar essentials.” If a grid fails, whether because balance is lost or because communication to critical infrastructure breaks down, everyone feels it. “So it is genuinely of vital importance to ensure it remains protected.”
She does see progress: “Energy systems and OT environments have been designed differently in recent years.” Less of the old pattern where you could ‘push an update here and there.’ Still, she notices how much remains compliance-driven. “There are very few technical people in OT I’ve spoken to who say: I truly believe this is unacceptable, and I’m going to do something about it now.” And even when they do, investment decisions sit with the board. “They still have to convince a board that actually has to spend the money.”
Asked about incidents like the situation in Poland, Jaimy’s first observation is telling: “No one saw it coming. Because we thought we had everything in order. Afterwards, it’s always easy to explain. Often it’s about the things you didn’t close off because you didn’t see them, or because you didn’t try hard enough to find them. The method wasn’t magical. It was effective. It’s actually very logical how they got in. The toolkit they used worked. This was really about disrupting something. And that’s a trend we’re seeing now, and it’s not going to stop.”
The attack surface has exploded, all the way to the edge
Another shift matters just as much: “The attack surface has expanded.” Ransomware criminals often move on quickly when they hit resistance. But state-backed actors don’t. “This is an actor who wants to get into a very specific place, because they have a goal: to disrupt, to spy, and to remain there for a longer time. Not detected.”
And that changes the scope of what needs protecting. “From edge devices to maybe even the simple box you have at home controlling your solar panels.” In other words: critical chains increasingly start with ordinary components, ordinary suppliers, ordinary environments. So the question isn’t only for operators of vital infrastructure, but for the whole ecosystem: “From the regular citizen like me to the big energy companies in the Netherlands and the EU, everyone has to think: what if?”
And for critical infrastructure, she increasingly believes the answer demands a next step, beyond hygiene and resilience, towards measures that provide a higher level of certainty. Not just being able to respond and recover, but being able to trust that essential information cannot be manipulated. “I’m thinking more and more: isn’t there something else, not only about resilience, but that can truly ensure that your data is safe. That it simply can’t be tampered with. I think ‘disruption’ is such an important word. Because this goes beyond compliance. This is about our society.”
Availability is king, but does it make us blind?
In OT, availability often dominates. Processes must keep running. But Jaimy challenges that default. “The question is whether our focus on availability makes us a bit blind.” She warns about box-ticking turning into false reassurance. “In my eyes, that becomes a kind of false security.”
She wants the sector to seriously consider integrity as a first-order concern: “What if we moved a bit away from availability and looked more at whether we can say: this information is trustworthy, it hasn’t been manipulated? Because if incoming information is wrong, the consequences can be physical. Then it’s no longer just about disruption, it’s about human lives.”
She makes it concrete with industrial examples: data coming from a refinery, measurements, process signals. If that data can be altered, the outcome can be dangerous. Explosions. Unsafe situations. A system that’s ‘online’, but unreliable. Here, her Defence background returns. “In Defence we call them what-if scenarios. You have most likely scenarios, but also most dangerous scenarios. And those most dangerous scenarios need to be discussed openly across organisations and sectors. Because a few minds can’t decide the fate of the world.”
A message for CISOs, CIOs, and board members: go back to your turning point
Her advice to decision-makers is surprisingly practical. “Go back for a moment to where you started. When you first heard about hackers, when you first asked yourself whether to invest in monitoring. Then ask: what scenario pushed you over the line back then? Which serious scenario, which threat, made you decide? Now repeat that exercise with today’s landscape. We can’t say that what we did before is still enough.”
She ends with a simple line that fits any boardroom precisely because it’s uncomfortable in its clarity: “If you do what you did, you’ll get what you got.” And that’s exactly why the bar for protecting critical infrastructure has to move, now.