How do you protect critical infrastructure—the systems that keep the lights on, water flowing, and communities functioning—from threats that span cyberspace, geopolitics, and emerging technology?
That’s the question host Paul Ducklin explored with Joseph M. Saunders, CEO and Founder of RunSafe Security, and Madison Horn, National Security & Critical Infrastructure Advisor at World Wide Technology, in an episode of Exploited: The Cyber Truth
From the realities of legacy systems to the promise—and limits—of AI, this conversation makes it clear that securing critical infrastructure is a collaborative mission that demands alignment across government, industry, and technology providers.
Cybersecurity as a Societal Imperative
Cybersecurity is often discussed in terms of tools, controls, and compliance frameworks. Madison Horn reframed the conversation by grounding it in human impact.
When critical infrastructure fails, the consequences ripple outward. Power outages disrupt hospitals. Water system compromises affect public health. Transportation failures slow emergency response and economic activity.
As Madison explained, these systems underpin modern life, and defending them is inseparable from protecting people.
“I don’t see it as a product,” she emphasized. “I see it as something that is in the nation’s best interest from a security perspective, economic, human life, societal, all those things.”
The New Reality: Critical Infrastructure Is a Target
Attacks on critical infrastructure made headlines this year. From Volt Typhoon to Salt Typhoon, bad actors have demonstrated how cyber operations are used to pre-position, disrupt, and destabilize essential services.
Cyberattacks against critical infrastructure are now a standard tactic in modern warfare. We’ve seen this unfold in Ukraine, and Taiwan is already facing thousands of daily attacks by China.
That reality changes the stakes. Cybersecurity has become a matter of national resilience and not just organizational risk management.
Why Collaboration Still Falls Short
Government and industry share a common goal—keeping critical systems operational—but often approach the problem from different angles.
Compliance Isn’t the Same as Security
Joe Saunders highlighted a persistent challenge: compliance-driven security efforts don’t necessarily prevent exploitation.
Meeting regulatory requirements may satisfy audits, but it doesn’t always address the realities of deployed systems, especially in environments where patching, replacing software, or rewriting code simply isn’t feasible.
True collaboration shifts the focus from checking boxes to achieving outcomes: uptime, safety, and resilience.
Legacy Systems: Built to Last, Not to Defend
Much of today’s critical infrastructure was designed decades ago. These systems prioritized reliability, availability, and safety long before connectivity became the norm.
As a result, many OT environments rely on:
- Long-lived devices expected to operate for decades
- Software that can’t easily be updated or replaced
- Tight operational budgets and rate caps
Madison underscored the challenge facing sectors like energy: these systems weren’t misdesigned—they were built for a different era.
The question now is how to secure them without disrupting operations.
Protecting What’s Already Deployed
Joe explained why approaches that protect existing software—without rewriting code or adding agents—are essential for critical infrastructure.
Runtime protections that prevent exploitation can dramatically reduce risk while preserving uptime and performance.
This is where memory safety becomes a practical path forward for legacy environments.
Learn more about how runtime protection helps defend deployed systems: https://runsafesecurity.com/runtime-protection/
