Kai Roer

Audit test: If an auditor walked in today and asked for evidence your controls are working — not that they exist, not that they were funded — what would you show? Policies and records = evidence of effort. NIS2 asks for something else. https://t.co/Qg3NMaza7X

For 19 years, Verizon's DBIR said the same thing: the human is the door. Hand over the wrong credential, and the attacker is in. This year it changed. Unpatched machines are now the #1 breach vector. Here's what that means — and what NIS2 just made personal: 🧵

The accountability cascade: Board approved the framework → CEO delegated the programme → CISO ran the scanners → Scanners missed entries never enriched by NVD → Patch window: 43 days. Adversary: hours. Everyone in that chain without evidence of active oversight is exposed.

The PLCs are now networked. The SCADA systems are remotely accessible. The maintenance vendor has a VPN. The HVAC contractor has another. The digital entrance has no credential at all.

In 2007, I walked into a factory in Northern Europe without showing ID to a single person. The only credential: a hair net. That factory got connected. The hair net didn't change.

Two executives in a board meeting. One: "Our AI token consumption is up 3400% month-on-month." Board: "What are we getting for it?" The other: "Token spend is flat. Output quality is up. Decision error rates are down." Only one of them owns the room. Thread on why →

The perimeter guard is still in his booth. The door is still unlocked. The hair net is still the only credential required. 2007 → 2026. Not the factory. What's waiting outside. Part 2 of 6: https://t.co/X1GRuy8zrt

Nord Stream. Baltic cables. GPS jamming. Hormuz. Eskom. Taiwan Strait. They look like separate crises in separate regions. They're the same vulnerability: critical systems built on the assumption that the outside world would stay stable. It didn't.

GPS jamming across Scandinavia is now routine. Aviation. Maritime. Emergency services. All affected. The same spoofing is documented across the Middle East, Black Sea, South China Sea. Any nation dependent on satellite navigation is exposed. Which is every nation.

September 2022. Three of four Nord Stream pipelines destroyed by underwater explosives in the Baltic Sea. Critical energy infrastructure. Assumed untouchable. Gone overnight. Europe's gas supply architecture changed in a single day. That's not a risk scenario. That was Tuesday.

In 2007, I walked into a factory. Nobody stopped me. In 2026, that door is still unlocked. What changed is everything outside it. Nord Stream. Hormuz. GPS jamming. The pink cloud turned red. 🧵 https://t.co/X1GRuy8zrt

I asked: what if this had been a terrorist with anthrax? Published the story. It circulated. People nodded. Everyone moved on. The factory didn't change.

And when a critical infrastructure failure traces back to a governance gap — unreviewed access controls — that's not an ops problem. That's a board accountability question. A fiduciary liability question.

That was one of Norway's largest food producers. One year after a food poisoning scandal that killed customers. If ANY facility should have been locked down, it was this one.