Operational Technology (OT) security isn’t just a technical problem—it’s a national security imperative. In the latest episode of Exploited: The Cyber Truth, RunSafe Security Founder and CEO Joe Saunders joined host Paul Ducklin to answer a big question: Can we fix OT security? Spoiler alert: Yes, but it’ll take a collective push from product manufacturers, asset owners, and regulators.
What Makes OT Security So Hard to Fix?
Unlike traditional IT, OT systems power critical infrastructure like energy grids, water management, manufacturing floors, and more. These devices often run on low-powered hardware with long lifespans and were never designed for modern connectivity. They were secured by locked doors, not firewalls.
Fast forward to today, and these devices are increasingly connected to the internet—and exposed.
Memory Safety: Still the Achilles’ Heel
Many vulnerabilities in common OT products are caused by buffer overflows or memory corruption flaws. While systemic, these vulnerabilities can be proactively addressed with memory safety protections.
“If you can eliminate entire classes of vulnerabilities before software hits the field, you don’t need to play whack-a-mole with patches,” says Saunders.
RunSafe’s approach focuses on preventing exploitation at the binary level, effectively making vulnerabilities non-exploitable without requiring post-deployment patching.
The Growing Complexity of the OT Software Supply Chain
Even the simplest industrial device could include thousands of open-source software components. Without visibility into the Software Bill of Materials (SBOM), organizations are left guessing about what’s inside.
“If a vendor can’t tell you what’s in their product, chances are, they don’t know either,” says Saunders.
Knowing your software’s components—and their vulnerabilities—is critical for compliance. It’s also critical for managing risk across the supply chain, identifying attack surfaces, and making smart, prioritized decisions.
Why Patching Alone Isn’t Enough
Patching in OT isn’t like clicking “update” on your phone. It can require physical access to remote locations and months of planning. Worse, many vulnerabilities go unpatched for 180+ days, leaving critical infrastructure exposed for far too long.
This makes proactive protection methods—like RunSafe’s memory randomization techniques and runtime protection—essential tools in a modern OT defense strategy.
What Should Product Manufacturers and Asset Owners Do Now?
Joe Saunders outlines a simple yet powerful framework:
For OT Product Manufacturers:
- Generate a complete SBOM for each product.
- Identify known vulnerabilities.
- Prioritize fixes based on impact and exploitability.
- Adopt Secure by Design tools that eliminate entire classes of vulnerabilities at build time.
For Asset Owners:
- Request SBOMs from all vendors.
- Analyze vulnerabilities across all systems—from HVAC to power to physical access.
- Demand security transparency and memory safety protections from suppliers.
This shift toward accountability and visibility reduces operational costs and futureproofs infrastructure.
Regulation, Risk, and the Path Forward
Fixing OT security won’t happen with checklists and wishful thinking. It’ll take:
- Regulation that incentivizes change, like the Cyber Resilience Act
- Automation that scales patchless security
- Shared responsibility across the ecosystem
“The real question isn’t whether we can fix OT security,” Saunders concludes. “It’s whether we want to—and who’s willing to lead the charge.”
