Operational technology (OT) sits at the heart of modern society. From power generation and water treatment to manufacturing plants and data centers, OT systems keep the physical world running. But securing these environments is fundamentally different from securing IT. Treating OT and IT the same can lead to a false sense of safety.
In a recent episode of Exploited: The Cyber Truth, RunSafe Security Founder and CEO Joe Saunders sat down with Ralph Langner, the internationally recognized expert who uncovered and analyzed Stuxnet, to unpack what smarter vulnerability management really looks like in OT environments. Their conversation highlights why traditional approaches fall short and what defenders can do today to meaningfully reduce risk.
Why OT Vulnerability Management Is a Different Problem
Unlike IT systems, OT environments are designed for longevity, stability, and safety—not rapid change. Many controllers, PLCs, and HMIs were deployed decades ago and are expected to operate reliably for 20–30 years. Patching, rebooting, or replacing them is often risky, expensive, or operationally infeasible.
This creates a core tension:
- Operators bear the operational and safety risk.
- Manufacturers design and sell the equipment.
- Security teams are expected to manage vulnerabilities that were never meant to be fixed frequently.
From an economic and operational standpoint, OT vulnerability management cannot be about “patch everything.” The constraints are too real, and the systems are too critical.
The CVE Trap: Why Chasing Every Vulnerability Doesn’t Work
When organizations talk about OT vulnerability management, they often mean one thing: CVEs. The assumption is to identify known vulnerabilities and remediate them.
The reality is far more complex.
There are hundreds of thousands of known vulnerabilities, many of them affecting embedded systems and industrial components. Attempting to remediate even a fraction of them would require enormous engineering effort with diminishing returns.
“Most people, when they hear the term OT vulnerability management, for them, it’s just about knocking down CVEs,” Langer said. “You would need an army of engineers to actually fix even half of these.”
More importantly, as Langner points out, competent attackers don’t rely on CVEs.
In OT environments, attackers frequently exploit:
- Legitimate product features
- Insecure-by-design protocols
- Trust assumptions baked into industrial workflows
These are not bugs in the traditional sense. They are design choices made decades ago to prioritize availability and ease of use over security. No CVE is required.
This means a vulnerability management program that focuses solely on CVE reduction may look good on paper but still leave the most meaningful attack paths wide open.
The Real OT Threat Landscape: Opportunistic and Strategic Risk
While Stuxnet demonstrated what highly sophisticated cyber-physical attacks are capable of, most real-world OT incidents today fall into two broad categories:
1. Opportunistic Attacks (Ransomware)
The majority of OT-related incidents in recent years stem from ransomware campaigns. These attacks typically enter through IT systems—often Windows-based machines—and then disrupt operations by encrypting systems critical to visibility or control.
The key takeaway: IT insecurity still translates directly into OT impact.
2. Strategic Pre-Positioning and Cyber-Physical Risk
Beyond ransomware, nation-state activity targeting critical infrastructure remains a serious concern. Rather than attacking industrial controllers directly, adversaries may focus on:
- Building automation systems
- Cooling and environmental controls
- Safety and monitoring infrastructure
These systems are often overlooked by security teams, yet they provide indirect paths to disrupt physical operations at scale.
Insecure by Design—And Why That’s Not the End of the Story
A hard truth emerged clearly in the conversation: most OT systems are insecure by design and will remain so for decades.
With an estimated hundreds of millions of industrial controllers deployed globally, replacing even a small percentage of the installed base would take decades.
But this does not mean defenders are powerless.
While we may not be able to redesign every controller, we can:
- Architect networks more defensively
- Reduce exploitability at scale
- Focus on resilience rather than perfection
Security progress in OT is incremental,but incremental does not mean insignificant.
Incremental Improvements That Actually Matter
So what can organizations do right now?
1. Enforce Real Network Segmentation
Separating IT and OT environments with a properly implemented DMZ remains one of the most effective—and underutilized—defensive measures. Many organizations believe they are segmented when, in reality, they are not.
“What everybody should try to accomplish rather quickly, if they haven’t done so already, is to separate the enterprise network or the IT side from those process networks with a DMZ,” Langer said.
True segmentation:
- Limits blast radius
- Reduces attacker mobility
- Buys defenders time
It’s not glamorous, but it works.
2. Stop Treating All Vulnerabilities as Equal
Severity, exploitability, and operational impact matter far more than raw vulnerability counts. OT security requires prioritization based on how attackers actually operate, not just what scanners report.
3. Reduce Entire Classes of Exploits
One of the most promising shifts discussed is moving away from individual vulnerability remediation toward class-level mitigation—particularly for memory-based vulnerabilities.
By addressing entire categories of flaws:
- The attack surface shrinks dramatically
- Zero-day risk is reduced
- Defenders gain asymmetric advantage
“Solving memory-based vulnerabilities at a class level instead of individual CVE and vulnerability level would result in an asymmetric shift in cyber defense and is easy to implement,” Saunders said.
This approach aligns far better with the constraints of embedded and long-lived systems.
The Role of Manufacturers: Transparency and Economics
The conversation also highlighted the economic realities manufacturers face. Secure-by-design products often cost more—not just to build, but to support and train against.
While regulation and liability may help raise awareness, one near-term improvement stands out:
Radical transparency.
When vendors openly publish vulnerability and security information in a machine-readable, accessible way, asset owners can automate risk assessment and response. Transparency enables scale and scale is essential in OT environments.
Rethinking Vulnerability Management as Resilience
Ultimately, smarter vulnerability management in OT is less about eliminating every flaw and more about answering a different question:
What would a competent attacker actually do?
By focusing on exploitability, architecture, and class-level protections, organizations can make meaningful progress without waiting for perfect systems or wholesale replacement.
OT security is not a problem that will be “solved.” But with pragmatic, informed approaches, it can be managed—safely, incrementally, and with resilience as the goal.
Interested in more conversations like this? Listen to the full episode of Exploited: The Cyber Truth to hear Ralph Langner and Joe Saunders explore OT vulnerability management, cyber-physical risk, and practical defense strategies in their own words.
