Protecting Smart Factories from Smart Attackers

August 21, 2025
 

Smart factories promise efficiency, automation, and global competitiveness—but they also expand the attack surface for cyber adversaries. In this episode of Exploited: The Cyber Truth, Paul Ducklin and RunSafe CEO Joe Saunders dive into the realities of protecting industrial control systems (ICS), operational technology (OT), and IoT-connected environments from nation-state actors, supply chain risks, and creative attackers.

Key discussion points include:

  • The evolution of the Purdue model in cloud-connected operations
  • Competitive risks of industrial espionage and data exfiltration
  • Why compliance is not enough—and how robust software practices improve both safety and quality
  • Practical approaches to safeguarding legacy devices without slowing performance
  • The importance of SBOMs (Software Bills of Materials) and visibility across industrial ecosystems

Whether you’re a manufacturer, supplier, or operator, this episode equips you with the strategies needed to secure your smart factory and protect your competitive edge.

 


Speakers: 

Paul Ducklin: Paul Ducklin is a computer scientist who has been in cybersecurity since the early days of computer viruses, always at the pointy end, variously working as a specialist programmer, malware reverse-engineer, threat researcher, public speaker, and community educator.

His special skill is explaining even the most complex technical matters in plain English, blasting through the smoke-and-mirror hype that often surrounds cybersecurity topics, and  helping all of us to raise the bar collectively against cyberattackers.

LinkedIn 


Joe Saunders:
Joe Saunders is the founder and CEO of RunSafe Security, a pioneer in cyberhardening technology for embedded systems and industrial control systems, currently leading a team of former U.S. government cybersecurity specialists with deep knowledge of how attackers operate. With 25 years of experience in national security and cybersecurity, Joe aims to transform the field by challenging outdated assumptions and disrupting hacker economics. He has built and scaled technology for both private and public sector security needs. Joe has advised and supported multiple security companies, including Kaprica Security, Sovereign Intelligence, Distil Networks, and Analyze Corp. He founded Children’s Voice International, a non-profit aiding displaced, abandoned, and trafficked children.

LinkedIn

Episode Transcript

Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

[Paul] 00:00:06  Welcome back to Exploited: The Cyber Truth. I am Paul Ducklin, joined today by Joe Saunders, CEO and Founder of RunSafe Security. Hello there Joe, you have a big smile on your face.

[Joe] 00:00:20  Greetings, Paul. Great to be here as always.

[Paul] 00:00:23  I suspect the smile is, at least in part, because this is a fascinating topic that you just happen to know an awful lot about. And today’s title is Protecting Smart Factories from Smart Attackers. That is almost a boundless subject, isn’t it? Because a factory isn’t just a bunch of welding machines or a bunch of industrial robots. It will have delivery yards, it will have collection points. It will probably have a whole office campus associated with it, with its own it and its own non factory workers working there. It’s kind of the worst of all worlds mixed into one, isn’t it?

[Joe] 00:01:04  It’s a fascinating area, and you may say from a cyber defense area, the worst of all worlds, but certainly an exciting place to be.

[Joe] 00:01:12  Yes, especially with all the advancement in technology, the digitization of all the robotics that goes on or the sensors around the facility and whatnot. So I find it a fascinating area on the forefront of automation and robotics and certainly autonomous systems in general.

[Paul] 00:01:33  So, Joe, when it comes to building a secure environment that allows you a mixture of automated devices, say, a welding machine or a temperature sensor all the way up to the IT infrastructure that runs around the factory and the office is surrounding it. There’s a thing known as the Purdue security model, but that is rather based on the idea that things are, well, segregated level by level, isn’t it? Which isn’t necessarily the case in a cloud world.

[Joe] 00:02:07  Yeah, that’s the whole issue. We think about maybe historically looking at the Purdue model to segment operational technology into up to five layers. And those layers are from the ground level. Level zero would include those sensors and robots and actuators. And then at level one you would start to see the different types of controllers, the PLCs, that are interacting and sending signal to that equipment on the floor.

[Paul] 00:02:35  Now PLC for our listeners, that’s programmable logic controller. So it’s a very special type of computer that is typically programmed by, say, a windows computer on the IT network that downloads a special program that precisely controls things like, well, dare we say, centrifuges, if you think back to the Stuxnet virus, but also temperature sensors, pressure sensors. Things that work in an environment that is very different from the one where a typical windows computer sits.

[Joe] 00:03:07  Exactly. So if you look at the signal in the control that might be going on onto those shop floor or factory floor industrial equipment, you can imagine then having that layer is a key access to get to all that equipment, those PLCs, those controllers are not easily manageable in that sense. So then that brings us to the next level of control, where you have your HMI, your human machine interface.

[Paul] 00:03:34  So that would be like the panel with the buttons.

[Joe] 00:03:37  Exactly. And that’s where things get interesting because you start to figure out, okay, how are we communicating to those devices? How are they communicating to the controllers? And how is all that connected into the factory floor? They’re on level zero.

[Joe] 00:03:51  So we’re at level two. And then next to those human machine interfaces where you might have that switch, you talk of we’ve got the SCADA systems that allow you to monitor and control industrial processes in general. With that said, it makes sense that you would have the structure of this Purdue model structure where you have those three levels up from there. You are going to have some systems that collect data and monitor historical activity and give you workstations to gain access to these SCADA systems and whatnot. And the whole question is then, do you have that divided, that whole OT infrastructure divided from your IT systems and those IT systems at the enterprise level would be levels four and five. In some views there’s a DMZ between the IT and the OT.

[Paul] 00:04:40  The traditional way of thinking of a DMZ. If you’re thinking of, say, your home network, it’s your router. There’s one wire that goes to the internet and there’s another wire that goes to your wireless access point, and never the twain shall meet. But we also know that these days, even thinking of a home network, there may be lots of devices you have that can connect to the internet anyway.

[Paul] 00:05:04  They might come with their own Bluetooth. They might come with their own mobile phone SIM card. Air quotes for emergency backup. So that nice layered model with the DMZ in it. There are all sorts of tentacles sticking out from the side, possibly at every layer. What if you have a valve actuator that just happens to be able to communicate in two different ways by wireless and Bluetooth? And what if both of them are connected at the same time by mistake? How would you ever know exactly?

[Joe] 00:05:33  And so that becomes the big question is what if these factories are then connected to the cloud? And maybe there’s really good reason for it. Maybe it’s inventory tracking in other systems that are tied to other systems in the outside world. Maybe it’s ways to get better management across factory floors and connect data. The whole notion then of having industrial IoT devices that are bringing value, that may actually be connected to the outside world, then sort of puts, I wouldn’t say that the Purdue model is irrelevant. It just changes the complexity a little bit.

[Joe] 00:06:10  And so with that said, I think what we’re finding in general with smart devices, in smart factories in the world of smart attackers is that these connected devices, of course, bring productivity gains, but also bring a new level of security consideration.

[Paul] 00:06:27  And I guess there’s also the issue that although we should be deeply concerned about attackers getting into, say, a factory network and being able to get right or execute access by fiddling with things that they shouldn’t be in. We can talk about that in a moment. Even if all you have is the ability to look at a webcam, retrieve data from some scalar device, even if all you’re doing is essentially spying on what’s going on in the machinery, that can give you an enormous competitive advantage. Commercial advantage, national level intelligence advantage, couldn’t it?

[Joe] 00:07:08  You certainly can imagine and get creative thinking. Would a manufacturer in China want to know what’s being produced in Germany or some other scenario like that? And what are the considerations there? And in an age of supply chain risk and as you say, competitive intelligence to really understand where you stand against competitors, there’s a lot of different reasons, independent of simply taking down systems on a motivated attacker who wants to sabotage something.

[Joe] 00:07:39  But exfiltrate data in these environments is certainly one of the top risk indicators and drivers of the cyber threat in the first place.

[Paul] 00:07:48  So it’s not just the robots have gone amok. The welding machines have welding each other together and shutting down the factory. It could be something much less obvious, such as hey, someone who does not have our best interests at heart knows how much chromium we’ve got in the stores for the manufacturing. Somebody knows that we’re falling behind on production of goods. Somebody knows that there’s a whole new project. So read only access inside a factory is actually a clear and present danger, isn’t it?

[Joe] 00:08:21  It is, present, in clear danger, so to speak. I guess if you think about some of these manufacturing companies, they are multinational firms. In many cases, they have plants around the world.

[Paul] 00:08:34  Yes.

[Joe] 00:08:34  And with that, there is a need for the enterprise itself to know all this information about their own operations. But then again, that same data in the national security realm, data is one of the new forms of oil, if you will.

[Joe] 00:08:49  It’s one of the key units of production that really make a difference in understanding what’s going on. And so if you combined data collection with analytics, then you can have certainly a head start over your competition or maybe worse through country level, nation state level competition.

[Paul] 00:09:06  Well, we already spoke about this, if you like, when we spoke about Salt Typhoon in an early podcast, these Chinese hackers were probing industries around the world, seemed to have a particular predilection for getting into telecommunications companies. And then in the US realized, hey, there’s warranted surveillance that’s been collected for things like criminal court cases. Why don’t we just take that? It’s going to tell us all sorts of exciting and interesting stuff. A smart factory needs to be smart so that you can run it smartly, but a smart attacker doesn’t have to know exactly what they want before they break in. Once they’re in, they can have a look around and go, right. That’s interesting. That’s even more interesting. Let’s take all of it.

[Joe] 00:09:55  So oftentimes I joke that it’s really just up to the level of creativity of the attacker.

[Joe] 00:10:00  But your question is a good one, and it points out a different angle. That is very important to consider, which is you might not know what you’re looking for necessarily, and then you might find some goods. All the more reason to have more robust security and segmentation. But you’re right. The well motivated attacker, the first step is to see can they gain access. And then they’ll figure out, well, what can they gain access to once they’re inside. And then they might figure out, okay, how do I want to persist and leverage what I found once once I got in there?

[Paul] 00:10:33  So Joe, given that there are so many different risks at so many different levels in a typical factory environment, what standards exist that a factory owner or operator either has to comply with, or ought to aspire to comply with, because it means they’ve thought the problem through, at least in part.

[Joe] 00:10:55  Yeah. So certainly if you think about factory floors, there’s safety issues and security issues, certainly. And those security issues would be cyber related.

[Joe] 00:11:05  So standards like IEC 62 443 help guide you along on the security side. Are they required? No, they’re not mandatory. But they are a strong indicator of your commitment to the security posture of your enterprise and will go a long way to ensure that you’ve got the right practices in place. So 62443 is widely adopted and acknowledged by people as being the right level of detail for OT systems inside industrial automation facilities. With good reason, because as I’ve mentioned in the past, when we think about autonomous systems, we’re also thinking about safety or safety of flight. But in industrial automation, we’ve got blades, we’ve got equipment, we have forklifts, we have autonomous systems within it.

[Paul] 00:11:55  Some factories these days are manufacturing plants do actually also have flight, don’t they? They use drones to move things around. So it’s all of the above.

[Joe] 00:12:06  All of the above. And it’s far different than the Rouge plant south of Detroit when it was all raw materials brought in. And you build everything in, in your own walls, so to speak.

[Joe] 00:12:18  Here you’re getting component parts and manufacturing things, but you have all this industrial equipment that’s doing a lot of the operations and with forklifts, with drones, with other devices that are automated. Certainly safety is a concern.

[Paul] 00:12:32  So, Joe, that 62443 standard, that’s a joint standard of AISA, which is the International Society of Automation and the IEC, the International Electrotechnical Commission. So it’s not just something that some bean counters thought of given that it’s not compulsory. Do you want to say something about standards and compliance and how you should fit that into, if you like, the spirit of your organization? Because I think there are still an awful lot of companies out there that go. It’s a checkbox you have to check off, and then you’ll riches will multiply. You should be approaching it from a completely different angle, shouldn’t you?

[Joe] 00:13:19  Yeah. I mean certainly checkbox compliance is an approach that some people can take. And essentially you’re saying we’re going to do the bare minimum. We’re going to avoid disrupting operations. Yeah.

[Joe] 00:13:31  And we’re going to just simply do what we can on paper to suggest that we’re in compliance. And what that does, I mean, what security means when we’re dealing with software, when we’re dealing with industrial assets, industrial automation, facilities quality is one of the aspects of these organizations. And having good practices around software and software security is a subset of quality. And so I don’t think people want to just accept whatever level of bugs they have in their software is simply okay, and we’ll just move on because it’s not the end product. It’s a reflection of the organization and how they approach quality in general. And so with that safety and security, of course, matter, and the more robust your software practices are, the higher the quality standards you have in your products. And in fact, perhaps the more efficient operations you will have. I tend to find that the organizations that have more robust software development, more automated tooling, more automated processes, fewer manual tests and the like, the ones that are automated have fewer bugs, fewer vulnerabilities, better security, better products.

[Paul] 00:14:48  And that’s not because they’ve used AI to eliminate humans, is it? It’s because they’ve used automation and AI to free up the humans to do a higher order task that actually brings security down from the top, not just trying to patch it in afterwards like the bad old days.

[Joe] 00:15:06  Exactly. Because in the bad old days you are chasing patches. And what we want to do is increase code quality, reduce security exposure, and as a result, elevate safety overall in these products and overall quality of programs and products that get produced.

[Paul] 00:15:25  Joe, maybe I can ask you a possibly quite tricky question to answer, both technically and culturally. If you’re somebody who believes in secure by demand, which is where you would prefer to acquire products and services from somebody who can show that they take at least cyber security seriously, then you might ask the question, do you have IEC 62443 certification? And if the answer comes back, yes. What question do you ask after that to make sure that you’re not just talking to a checkbox compiler?

[Joe] 00:16:03  Well, I always want to ask about your software development practices and your software development lifecycle and what you’re doing in the software development lifecycle to integrate security.

[Joe] 00:16:18  And that really tells me. Are people bolting on security after the fact and maybe trying to complete that checkbox security? Or have they thought through their processes more completely and have more robust processes to ensure that security can just be part of the equation and integrated and built in in the first place? Another follow up question to that would be what does your patching process look like? What does your testing process look like and how do you manage that? And how do you manage the trade offs between tech debt and new feature development tech debt?

[Paul] 00:16:56  Now, you know that I don’t like that term because I think it’s a bit of a euphemism. It kind of means we took all sorts of shortcuts to get the product out of the door in the first place, and we’ve never gone back and corrected the sins of the past. But I know what you mean. All companies will eventually accumulate code or products or components that aren’t perfect, possibly because they were found to be flawed after they were deployed with the best will in the world.

[Paul] 00:17:25  How good are you, and how willing are you to go back and confront that? That is a very important question, isn’t it?

[Joe] 00:17:32  It is. And a lot of software development efforts, we look at the initial development and we think we’re done. And obviously there’s a whole nother set of phases beyond the initial release and all the maintenance that you have and all the support that you have for a product. Even in these industrial control systems and these OT networks in industrial automation facilities. There is a need to update and patch software from time to time. And so that’s really what I mean is, once those support and maintenance efforts kick in, you’re supporting ongoing existing code, and you might not be developing new features because you have some maintenance work that you need to do. And so that’s what I mean when I say tech debt at your point is well taken. What I consider tech debt in some cases are the patches and the prioritization of vulnerabilities that have to get fixed after the fact. And as those pile up more, then you’re crowding out future development because you’re consuming resources on the patches.

[Joe] 00:18:37  And so my view is if you have a more robust software development lifecycle, then you have a more efficient way to address those patches. But also you might have other things built in, like at RunSafe. We advocate for inserting runtime defense into your software from the get go so that systems can prevent exploitation even if a patch is not available. And the idea there is to add in robust security in my mind. Then going back to your original question, I want to understand what people software development processes are like, what their patching processes are like, what their testing processes are like. Because behind every compliance is a lot of processes, and you want to dig into those processes and understand, are people committed to safety and security or are they committed to checkbox security.

[Paul] 00:19:30  And so you can tell a lot, can’t you, from an organization’s attitude to vulnerability disclosure. And if a company has a robust practice for revealing its vulnerabilities and explaining how it was able to mitigate or fix those, that’s a very good sign, isn’t it?

[Joe] 00:19:50  Exactly right.

[Joe] 00:19:51  If you’re not disclosing vulnerabilities and not embracing that, then I would be concerned as a customer of your product. At RunSafe, we disclose things. We also build in security into our products. We adopt secure by design practices to boost code quality, and we make our technology accessible so that people do have that confidence and do know that we are going to not only look at our own code while we defend other people’s code. So we live by the same practice that we hope our customers are living by. And if you consider adding in exploit prevention into your own products that you deliver, then you get the luxury of having the best of both worlds you can disclose and fix, but know that you’re already protected. And what that means then, is it really alleviates a lot of this concern of trying to hide vulnerabilities. It’s hey, majority of the ones that we do find are not accessible. They’re not exploitable. We’re still going to fix them, but we’re telling you that we’re already ahead of the curve ahead of where the attackers are

[Joe] 00:20:57  That’s just a really good example of a way to embrace security and use it to help alleviate operational pressures, alleviate security pressures, and certainly find ways to thwart attackers even when a patch is not available.

[Paul] 00:21:12  So, Joe, maybe we can just zoom back into that level zero of the Purdue model, the very low level, the devices that open and close an individual valve or that monitor the pressure in one vessel. Those obviously may be years, even decades old. It may be very difficult to replace them because they might have been built into devices like a lathe or something that you can’t just simply open up and fiddle with. How do you deal with protecting those very low level devices against a smart attacker who’s decided, hey, I’ve milked the network for all the information I’d like, but I also want to know, How could I disrupt this factory if I wanted to? At some time in the future. Where do you start with that?

[Joe] 00:22:02  Well, I just run for the hills. Just kidding. Of course.

[Paul] 00:22:08  When I heard you say the word run, I thought, oh, I know what’s coming next. Yeah.

[Joe] 00:22:12  What I would actually recommend. Instead of running for the hills, you should run safely with RunSafe. The idea, of course, is, and not to get too commercially oriented about our own products, but I do think you point out a really significant challenge that people face. And when you’re looking at sort of everything from a risk management framework, trying to prioritize which assets to do what with, knowing that there are some devices that do have low compute power and compute resources available, applying things that don’t add new code, that don’t add software, agents that don’t slow down, that don’t consume more memory is really one of the best options. And so you can extend the life of legacy systems, applying memory safety protection in a way that doesn’t put any new software on a device. You can imagine if you move things around in the device without disrupting its operational execution, then you can imagine that that makes it harder for the attacker to find the vulnerability in the first place and to take that system down.

[Joe] 00:23:18  But I think what you want to do is assess your whole network, look at what’s reachable, what’s exploitable, what’s the consequence, and prioritize and then look at those items. And when you have hardware shortcomings and when you lack power and lack compute resources on devices, you still have good alternatives. I think that’s the key thing. And with that, you apply Load-time Function Randomization from RunSafe, our proprietary technique that allows you to add in security even without a patch, that’s a good opportunity for folks to extend the life. And all the while these organizations are thinking about when do I replace certain devices? And part of me thinks part of that is when you get so much more value added out of the new device than you have. Simply letting the current one operate, there could be a lot of value add that’s changing in the industry, based on maybe the new architectures of newer devices that do bring some of these smart capabilities. And so certainly when you’re buying those products as well, you want to really understand what the security is, because oftentimes these are connected devices that may be getting signal from elsewhere in the factory floor.

[Paul] 00:24:31  Whether you’re a manufacturer of products that help factories operate like the valve actuators, or you’re the owner of a factory that wants to buy valve actuators, or you’re somebody who wishes to choose a factory to manufacture your goods. What would be your primary advice to someone in any of those three classes for upping their game when it comes to cybersecurity.

[Joe] 00:25:00  In this scenario, you describe where you have maybe the end customer, the manufacturer, and then the supplier at every one of those levels. There are security questions that pop in to make sure that the final product produced has security, that the manufacturing plant itself is secure, and that the software that you derive from your supply chain is secure. I view that as asking for insights into the security posture that will start with standards in these industrial automation facilities. There are five reasons why security gets adopted. One of them is the governance of the manufacturer itself, their policies. One is the compliance that we talked about. One is the known threat actors that are targeting these kinds of devices.

[Joe] 00:25:48  And what are their go to moves. So we think about China and other nation states doing things and what are their, you know, things they’re going to compromise. And then getting to part of your question, they’re what are customers asking for. And then is there any security mechanism that helps differentiate maybe lower cost with more resilience and things like that. So you expect a longer lifespan? I would go down that checklist and ask, what is your government’s policy? What is your security compliance? What threat actors are out there? What are you doing to differentiate your products, and what are you doing to satisfy the customer requests? And that gives you kind of a very macro level view of what’s happening. And then within that I think there’s micro level views that are super interesting. What’s really interesting to me is understanding the software, building materials of all these devices and all these components that come into the factory floor that come into the industrial automation facilities. Why? Because heretofore we just sort of saw these things as black boxes that could be compromised, and we don’t really know what could go wrong.

[Joe] 00:26:55  But there are so many tools out there that help you. The manufacturer. Know the factory owner. Know exactly what’s going on in your infrastructure to understand what your risk is. And so I would look at the macro view, the drivers of security adoption as one way to get a view. And then I would look at the micro drivers and I would look at the software bill materials in particular across all my devices, and look at which of those systems are most vulnerable.

[Paul] 00:27:23  And there are some encouraging signs on the secure by demand angle of things, aren’t there? Now, I don’t want to suggest for a moment that a hospital is a factory, but there are some similarities. There are lots of embedded devices and they’re all over the place, and eventually it all connects to some IT network and so on. But in the recent RunSafe Health industry report, there was an encouraging number of consumers of medical products who said they had products that they would love to have bought because they would have been great for medical care.

[Paul] 00:27:58  But they declined the purchase specifically because they felt that the supplier did not take security seriously enough.

[Joe] 00:28:05  Absolutely. And I do think in the case of industrial automation in general, the overall picture, the investment into all these underlying industrial IoT devices and the robotics and all the machinery that’s in there, you have to consider not only the initial purchase, but the lifespan of those devices and the security posture of those devices. Security is become a very key element to the decision for which equipment to buy, because we don’t want these things to be disrupted and could go down and be outdated in a short amount of time, you want to have a nice, long lifespan. These organizations are capitalizing these purchases over many years, and the security has to be complementary to that economic equation that the facility has.

[Paul] 00:28:56  I think that’s a very positive point on which to end the idea that when it comes to cybersecurity, to some extent, the buck stops with all of us. We all have to do our bit and we can do it at all levels.

[Paul] 00:29:11  Once again, thank you so much for your passion and your informed commentary on a difficult and extensive topic. That is a wrap for this episode of Exploited: The Cyber Truth. Thanks to everyone who tuned in and listened. If you enjoyed this podcast, please don’t forget to subscribe so you can keep up with each week’s episode. Please like us, share us, link to us on social media and be sure to tell your whole team about us. And remember folks, stay ahead of the threat. See you next time.