Exploited: The Cyber Truth,  a podcast by RunSafe Security. 

[Paul] (00:04)

Welcome back, everybody, to another episode of Exploited the Cybertruth. I am Paul Ducklin, joined as usual by Joe Saunders, CEO and founder of RunSafe Security. Hello, Joe.

[Joe] (00:22)

Greetings, Paul. Great to be here today.

[Paul] (00:25)

And by Mike Holcomb who runs a security outfit for the OT industry called UTILSEC. Welcome Mike.

[Mike] (00:36)

Thanks, Paul. I appreciate the opportunity to be here with you and Joe.

[Paul] (00:40)

Strap yourself in, because you’re up first. Why don’t you start us off by telling our listeners a horror story that you encountered, something that you found when you were doing, say, a penetration test or a security assessment.

[Mike] (00:56)

Sure. Going into environments, and I’ve been very fortunate in my career to work with some of the world’s largest companies and been in some of the world’s largest OT or ICS environments. And I’m still amazed even today in 2026 where you can go into a large environment, like a large plant that might take up a large city block. And then you work with companies that have multiples of these spread out over the country or the world.

[Paul] (01:27)

So that means if there’s a mistake in one, it’s probably been replicated in all the others. dear.

[Mike] (01:33)

Absolutely. They don’t have a firewall between IT and OT.

[Paul] (01:40)

Now for our listeners, by IT, information technology, although we rarely say that in full these days, that’s the sort of networking that we’re to when we’re in the office using Zoom or Teams or Outlook or whatever it is and we’re interacting with our colleagues, even if we’re working from home. And OT, or operational technology, that’s all the other computers that make our life work, like turn our power grid on and off, but that aren’t managed by a traditional ITT.

[Mike] (02:11)

Exactly. Just like we can have firewalls between the internet and the IT environment to protect the IT network, we put firewalls between IT and OT. And not having those firewalls between the two allows an attacker or piece of malware like ransomware that gets into the IT network if you don’t have that firewall.

[Paul] (02:31)

Or a bribed or rogue insider for that matter who just happens to be on the IT network already. There’s no real reason why they would need to be able to peek into pump rooms around the nation, is there?

[Mike] (02:38)

Sure. You would think.

[Paul] (02:47)

Because the IT folks would never let those people wander through their server rooms or access all the super secret corporate cloud accounts.

[Mike] (02:58)

Most wouldn’t. When you look at the different systems or the pieces of equipment on those shop floors, it really makes you wonder. Not only are they allowing them to access them, but they don’t have the tools in place at the same time where they’re monitoring for that type of connectivity. The vast majority of OT environments that we see today, about 95% of them are doing nothing about monitoring their networks for malicious or suspicious activities. And then at the same time, they might not even need to get onto the OT network to even have an impact. So if we look at Jaguar Land Rover with their incident in 2025.

[Paul] (03:43)

I think calling it an incident is being rather kind.

[Mike] (03:46)

It’s a little short.

[Paul] (03:49)

It’s an Indian company but most of their plants are in the UK. It’s being considered the UK’s biggest and most expensive ever cyber incident. Production lines frozen for weeks and weeks and weeks.

[Mike] (04:03)

Yeah, like in their case, all the systems that they needed to run the manufacturing plans sat on the IT side. The entire IT network burns down to the ground because they’re ransomware and you don’t have manufacturing. Most small medium sized businesses, if they’re in that type of situation, they don’t recover and they close their doors within three to six months, which is really concerning.

[Paul] (04:25)

Incidents like Jaguar Land Rover and the idea of a steel smelter losing power does focus your mind on that, doesn’t it? Because that’s a case where actually stopping the plant is actually really, hard because getting it going again is not quite as simple as rebooting your laptop or bringing up a server in emergency mode. Yeah. If you’ve got a frozen production line with vehicles stuck on it and you don’t know which vehicles are in what state of build, you can’t just switch the thing on and expect it to carry on going.

[Mike] (05:01)

Right. Yeah. can’t just reboot and you’re good to go.

[Paul] (05:05)

So what do do about that? Obviously you don’t want to the two networks completely segregated because then you lose all the benefits of remote control, remote monitoring, good telemetry. How do you let them touch each other but not be so intertwined that an injury to one becomes an injury to the other almost always?

[Mike] (05:26)

Yeah. When we talk a lot about industrial environments, like power plants, water treatment facilities, usually what we really focus on is having the OT side of the house, the plant send its telemetry data to the IT network in a one way manner. So you don’t allow return traffic. So you don’t allow IT to initiate connections into OT. That way, if an attacker does get into IT, they don’t have a path into OT. In my last job, we built some of the largest manufacturing plants for pharmaceuticals, the world’s largest insulin injection plant. If you’re manufacturing these insulin injections, the business, the IT side of the house needs to know, how many injections did you make today? Because it has to coordinate things like shipping and storage and logistics. So we get that data from the OT side to IT, but IT does not need to reach into OT in that case.

So that’s in a perfect world and we can do that in a lot of industrial environments where we do get in trouble where either the owners and the operators of these environments don’t realize that you can configure that type of security if you want to consider it that that form of communication that one way.

[Paul] (06:41)

So is that what in military or security conscious environments would be called a data diode? Flows one way but the current can’t return.

[Mike] (06:50)

A data diode literally uses physics to enforce that one-way traffic. There is no way to have return traffic. Now with that said, data diodes themselves are very rare to see out in the real world. So usually what you will see is a form of that called a unidirectional gateway. So that’s using hardware and software to enforce that one-way communication. There could be a vulnerability there an attacker could use to gain access to the OT network.

[Paul] (07:18)

But that’s a lot more secure than just having the IP numbers of all those welding machines just visible on the corporate network, isn’t it?

[Mike] (07:28)

Right. And again, I’ve been in quite a few large environments and you still see either no firewall between IT and OT or if there is a firewall, then it’s just not configured correctly. Permit IP any any that maybe somebody put in for troubleshooting when something appeared to break that fixed it. But the attackers come in and go right through that firewall.

[Paul] (07:53)

Joe, maybe I can ask you at this point whether the idea of a firewall that’s been put there but doesn’t really do much is probably evidence of what you might call checkbox security. You know it’ll look good to the auditors, so you just go, well, let’s have a firewall and let’s put a label on it with the word firewall on it. But that’s not good enough, is it?

[Joe] (08:15)

I think part of the context of the question is, well, when are you adding in this firewall? When are you adding in this capability? And part of that we’ve seen over the years, if some of these plants, for example, are being connected to the cloud, if you will, then that’s a time to add in a firewall like we’re talking about. Probably the focus of that is on some of the benefits in the modernization of the software and the cloud hosting of those IT systems in general. And you’re thinking about that.

And maybe even to Mike’s point, less so about the firewall itself and everything that you need to do there. I do think one way diodes are the way to go. I like the best solutions. I accept Mike’s point, especially given his background to know that if we can do some of the simple steps, then we go a long way in solving some of the problems that people could have.

[Mike] (09:04)

Yeah, absolutely.

[Paul] (09:05)

Joe, I guess there’s also the problem that if you don’t have a security-first approach, what we’ve spoken about in previous podcasts pretty frequently as secure by design, then retrofitting a firewall and trying to make it nice and strict and safe and secure can be quite hard, can’t it? Because you suddenly realise that you’ve blocked off ports or you’ve blocked off connections that you didn’t even know that your system relied upon.

[Joe] (09:34)

There are other areas of vulnerabilities. And what I have seen is a lot of the product manufacturers who are producing HMIs, human machine interfaces, just since I know you love to jump in and catch me when I use an acronym there, Paul. You know, these HMIs are the Schneiders and the Vertivs and the other organizations that make them think about how do you protect those systems because they are an access point to some of those controllers and what have you as well.

And if those are compromised in the supply chain, they could be points of vulnerability as well.

[Paul] (10:09)

I guess if you think back 10, 15, 20 years in OT and SCADA systems, the reason we have a term like HMI is that these generally were physical devices that were the only form of interaction. There’s no screen, there’s no keyboard, there’s no mouse. They might be on, off, speed up, emergency stop buttons that basically fly by while the machine behind it.

I guess there’s still a lot of thinking that, well, these HMIs, they’re physical buttons and you have to be there to press it. But increasingly, either they’re being web enabled so they can be reached remotely, or they’re having some kind of web app or web accessibility retrofitted because it’s easier to have someone in a room in Virginia press a button on a web screen and have someone drive all the way to the middle of Alabama with a padlock key and go into a pump room and press the button.

[Mike] (11:05)

Yeah, no, absolutely.

[Paul] (11:07)

And therein lies great risk, doesn’t it?

[Joe] (11:10)

Yeah, and part of that risk is these devices last a long time. What you’re building in 2005 or 2010, we’re capitalizing those investments over a long period of time. It’s not like a laptop that’s going to get recycled every year or two. There’s a longer term horizon. It’s tough to make that decision today to think about security 10 or 15 years from now. Human nature is to think about the highest priorities that make a difference right now.

I think about the energy grid in general. It’s relatively brittle in the United States and it’s becoming more connected and it’s becoming connected to distributed energy resources of different types. Think about EV charging stations and the like. The landscape changes but not as fast as an IT world changes.

[Paul] (11:54)

Yeah.

[Mike] (11:59)

Yeah, absolutely.

[Paul] (12:01)

What do you do about that when you have hardware that you can’t easily update and there may not be newer versions available even if you had limitless funds to spend on it? How do you take old software and make it more secure without having to throw out the baby with the bathwater and get new hardware, new processors, new software development languages and all that stuff?

[Mike] (12:24)

I would say when we look at an older environment, it’s all about being able to go in, understand the physics of the plant and then understand, okay, here’s the systems that we have that control that process that that plant’s responsible for. Let’s say I have a power plant generating electricity, turbines and generators, and I have the programmable logic controllers and the human machine interfaces, the HMIs, we were just mentioning that allow the operators to interact with the environment and make changes. That HMI or that PLC was made 20 years ago and we can’t just install the latest EDR tool on those. So then it becomes a question of what controls can we wrap around, right? Looking at compensating controls, what can we build into the environment to lower the risk of what happens when an attacker gets into the environment?

What are the bad things that they could do with this system? I love working with engineers. They don’t think about what an attacker would do. Just doesn’t compute for them. It’s like, why would anybody want to do that? You know, and then once you get them to put on their evil thinking cap, it can be a lot of, a lot of interesting conversations. It’s like, okay, well, how can we prevent X, Y, and Z from happening? Maybe we can’t do anything about Z.

[Paul] (13:42)

Yes.

[Mike] (13:50)

But we can do something about X and Y, like having that firewall configured between IT and OT. Maybe we can do additional segmentation within the OT network. So we talk a lot about micro-segmentation as well.

[Paul] (14:05)

Is that what’s known as VLANs, virtual LANs, where you use conventional switches? So it seems like a wide area network, but you’ve basically divided it electronically into separate parts. Therefore an entry to one is not an entry to all.

[Mike] (14:20)

Yeah, exactly. Whether it’s VLANs or using other physical means to break the large OT environment into smaller chunks.

[Paul] (14:30)

And the OT devices themselves can be blissfully ignorant of that. So they don’t need software upgrades, don’t need reconfiguration, they don’t need to be asked to do programmatic stuff that they were never built for. They just live in a slightly more sheltered cocoon than they did before.

[Mike] (14:34)

Exactly.

They have that bubble around them. If you were to go into a large petrochemical facility there, you would have what they call a safety instrumented system. It’s your fail safe backup. So that way, if you ever detect that there’s a fault condition in the environment, that it can shut the plant down safely before essentially something goes boom and you have a huge impact on your hands. And that safety system should be on its own physical network completely separated from the rest of the OT network. It’s kind of the most extreme example of that segmentation. If you want to make a programming change, if you want to upgrade the firmware on it, that’s great, but you’re physically walking to it and you’re plugging into it directly and making those changes. You’re not exposing it to the rest of the network where an attacker could potentially make their own changes to the safety controller over time.

[Paul] (15:45)

So what do you say to those people who think that continuing to work in that way seems a little bit regressive? Shouldn’t we all embrace the cloud? And we’ve spoken in previous podcasts about what you might call the difference in mentality between, say, the makers of planes, where their infotainment system may be running some 15-year-old version of Linux, but it was added after the avionics systems and there’s no interconnection, they’re just completely separate. Compared to automobile manufacturers where all these things are blurring and the same little screen in the middle of the dashboard that you control the movies that your kids can watch, the same UI is used to set driver safety settings. It’s easy to get seduced into blurring the lines, isn’t it? How do you stand firm and keep safety and security paramount where they’re really important?

[Mike] (16:44)

Yeah. Well, I don’t think you can actually stand that firm. Yes. Coming from an IT cybersecurity background. I remember when wifi came out and I was like, heck no. You can’t put that on the network. There’s no encryption. Somebody can just jump on the work network. And I had a boss pull me aside. Dan Crow, best boss I ever had. X Delta Force guy becomes, you know, IT guy. And he’s like, if you tell them, no, they’re still going to do it regardless.

So you don’t tell them no, you tell them, hey, okay, let’s do this, but let’s do this as securely as possible.

[Paul] (17:20)

So trying to head off what’s known as shadow IT. The things you don’t want, you kind of get anyway because people figure, hey, I can buy that for $9.99 on my credit card.

[Mike] (17:23)

Exactly.

Or even worse, the CEO just says, go ahead and do it anyways. So everybody has the authority to do whatever they want and then it gets implemented and then there’s no security. Cloud is coming fast these days to OT. AI is coming super fast to OT even though OT is definitely not ready for either of these. I can’t say don’t do these things because there’s a lot of great advantages to help increase the performance and the efficiency of these facilities. I completely understand, but there’s a lot of risks that the business has to understand and they have to be prepared to take those steps to implement compensating controls. If you’re going to do these things, you also have to be planning for the day you get compromised. If it hasn’t happened yet, it’s going to happen. 

And if you have cloud connectivity into your plant, well, what happens when the attackers get in that cloud environment. How is that going to impact your plant? And make sure we ensure safety, most importantly, and then of course availability. The plant goes down, we want to get back up and running as quickly as possible and not take five weeks as our friends over at Jaguar Land Rover.

[Paul] (18:46)

Joe, do you want to say something about compensating controls? I love that term because it sort of says, yes, we can make progress, but if you want us to let you do these new and exciting things, you have to carry the can for some of the things that you agree you’re not going to do. How do you build an organisational culture, particularly if you’re a business that builds stuff for the OT space where people learn to think like that from the start?

[Joe] (19:15)

Of course, you know, Paul, that I’m a fan of innovation and especially for productivity gains and efficiency gains. And we see all sorts of ways to measure how plants are operating. And these are great opportunities to make improvements in quality. And in the same way, I think the software development process can be improved from a quality perspective as well. What I advocate for consistent with all this, I think, is those organizations that are building technology, building tools, building devices, building software that go into these OT environments, we really do want to look at their underlying software processes in general, because I have found that those that will remain competitive are the ones that have the most robust software practices in general. And that in itself helps create some resilience in the infrastructure. 

There’s different variations of that secure software development frameworks, there’s secure by design, there’s other things. And that means disclosing vulnerabilities, that means being transparent, that means sharing software bill materials, that means sharing processes in which you are fixing vulnerabilities. And yes, it’s very difficult to push out updates in these environments, but those organizations, I think that have an elevated software development process end up having higher quality code with fewer, not zero vulnerabilities, with fewer vulnerabilities, but also have security built in. For organizations that are making investments, capital investments over 10, 20, 30 years, and as the demands of AI and the demands to improve processes continue to increase or evolve, maybe the better word, security needs to be at the core of these items.

There is a compensating control in having higher quality software delivered in the first place.

[Paul] (21:15)

And I imagine that even if you’re unwilling to do that, you are likely to have your hand forced very soon, starting this year pretty much, if you plan to sell anything in the European Union or the UK, because of the Cyber Resilience Act, that actually changes the game if you like, for liability. Namely, if you have software and it does have a flaw, you’re no longer allowed to sweep it under the carpet or say, no, we’ve got a document here that says, our warranty allows a refund of everything up to $0. That doesn’t mean that you’re expected to have no vulnerabilities. It just means you’re expected to understand what you’re supposed to do and what you can do and to do it promptly if there’s a problem. And that’s not impossible, is it? Even for systems that are 20 years old with 2 meg of RAM.

[Joe] (22:04)

Yeah. And Mike brought up that safety is first. Yes. Part of software quality is safety and safety is not new to these organizations. so having compliance built around safety, and I just think being more mindful, even more mindful about software quality as it pertains to safety is a good practice. And to the point around EU Cyber Resilience Act, there is a stick in there with the liability if you are exploited. For organizations that embrace safety to embrace security and use that in a way to build robust software practices in the first place and elevate their game in terms of transparency and sharing information. It does make the world safer. It does keep these major critical systems operational even longer.

[Paul] (22:52)

And cyber security bugs can actually affect physical safety very definitely, can’t they? For example, if someone knows how to crash all of the switchgear devices that you use to connect in and out the wind turbines that generate offshore power, say if you live in a nice windy country like Denmark by the North Sea, you need to be able to switch them all automatically and intelligently.

And therefore, if there is a security bug there, that could actually affect safety because the system may suddenly end up not operating as a whole. So it’s not wasted effort, even if your primary focus is safety, because an insecure system is probably an unsafe one. Would you agree with that?

[Joe] (23:38)

That’s why I brought up quality. Some of these bugs could be perceived as quality. I do think organizations in these spaces consider safety and quality going hand in hand and just adding security into that. the consideration is related.

[Mike] (23:52)

It’s definitely an interesting part of the conversation and I’m curious to see how things look in another year with the CRA in Europe. I’ve talked with quite a few of the leaders at some of the large OEMs or manufacturers of OT or ICS equipment. Quite a few of them are still very concerned that they might drop the ball and have some type of finding where they’re on the hook for tens of millions of dollars if not potentially more. The ones that I talk to, right, are very supportive of making sure that they do the right thing. Like Siemens out of Germany, they’re probably the undisputed heavyweight of finding vulnerabilities in their portfolio of applications and systems. So they have a very strong P-Sert program, which is their program for identifying and addressing and reporting vulnerabilities to help make their clients more secure. Even if their clients might not take the opportunity to take that latest update and put it on a PLC or an HMI on the factory floor. That’s the customer’s decision, not the manufacturer’s.

[Paul] (25:05)

So for practitioners in the OT space, whether they’re manufacturers or users of these systems who are still thinking in that old school world of their private networks are not connected to anything else, we’re concerned about safety, we’re concerned about continuity. So we don’t need to worry too much about access control and encryption and all that sort of stuff. How do you persuade them that more openness, such as the CRA will require in respect of things like vulnerability disclosures is actually a strength rather than the weakness that some people still seem to consider it to be. In other words, by doing all these vulnerability disclosures you’re giving away to cyber criminals and state-sponsored attackers secrets that they probably already knew to be honest.

[Mike] (25:53)

Yeah, I think the biggest thing is really, you kind of take it a step back. Talking about air gapped environments. I have a nuclear power plant. It’s North America. It’s mandated that it’s air gapped. It’s not connected to any other type of network or system. It’s self-contained. And then that way, well, we can’t be compromised. The problem is the air gap, it might exist today, but it’s not going to exist tomorrow or next week or the next month.

[Paul] (26:20)

You mentioned when Wi-Fi arrived.

[Mike] (26:23)

That really opened up a can of worms.

[Paul] (26:26)

That bridges at almost any air gap network. Now gentlemen, I’m conscious of time, so I’d like to put a question that either or both of you can answer to conclude. And that is based on the old proverb that a journey of a thousand miles starts with a single step. For somebody in the OT world who’s still wrangling with all of this and hasn’t started that Sikyo-Bai design journey yet, what do you think is the first thing

that they could set their mind to. Something to get started with that will prove security and safety A, go hand in hand, and B, are quite achievable in the long run. Where to start?

[Mike] (27:07)

The firewall would always be my first choice. Putting that firewall between IT and OT. Go spend a couple hundred dollars, a couple hundred pounds. Even if you’re just sitting it there and it’s wide open at first, at least it’s in place and then you can watch traffic over time, you can start to limit what’s moving in and out of your OT network. Because again, you have to always assume an attacker is going to get into the IT network. It’s going to happen or a piece of ransomware is going to get loose on that IT network.

Do you want it to be able just to have that straight shot into the OT network? Just by having that firewall and then getting it configured over time, it’s going to be the one control that’s going to reduce your risk the most. And that when you think about it, it’s going to cost you the least compared to so many of the other controls out there that you could implement.

[Paul] (27:57)

And that also ties nicely into the business thought that if you can’t measure it, you can’t manage it. Because it will actually give you an idea of things that may be wrong about control that’s being exerted on your OT network from the IT network that you didn’t even realize.

[Mike] (28:07)

Absolutely.

Yeah, I’m still amazed how many people have firewalls and they’re not watching the traffic and then they have a compromise. It’s like, well, if you were watching it, you would have seen the attacker in the environment three months ago.

[Paul] (28:25)

Yes, I agree with that. If you’re going to collect logs and never read them, save yourself the disk space and don’t collect them in the first place because you’re just wasting time and money. Joe, would you like to ring us out?

[Joe] (28:38)

As you are making new investments in technology, the whole concept of secure by demand, asking your suppliers about their security posture and finding ways to get information from suppliers about vulnerabilities, software bill of materials is a good example. I think investing in that as you go forward, as you upgrade different portions of your physical environment, it’s an opportunity to exercise some of that purchasing power to ask some questions about the long-term viability of the security process. I may have made it sound too simple early that everything is just 30 years old. It’s not that people are gonna make investments over time. And I think the organizations can be cognizant of the security posture of the vendors’ products that they’re delivering and really ask those questions and get information about vulnerabilities and open up communications to understand what the vulnerabilities are in products.

[Paul] (29:33)

I think that’s very well put because after all, Secured by Demand, where you actually ask your supplier, hey, what are you doing about security, makes it clear to them that it is worth their while for the greater good of all, including themselves, to take security seriously. And I absolutely agree with you. The fact that we have what you might call poor or even uncorrectable security blunders and devices that are 30 years old, and yet they’re still working okay today, doesn’t mean that we should or need to be in the same position 30 years from now. So that journey of a thousand miles, not only does it start with a single step, it may as well start today as tomorrow.

[Mike] (30:12)

Absolutely.

[Paul] (30:14)

Gentlemen, thank you so much for your thoughtfulness and your passion about this. You both feel so strongly about getting things right, but not in a way that means we have to throw away everything we’ve done so far. That we all get together and work better for a more secure and therefore a safer future. So that is a wrap for this episode of Exploited the Cybertruth. Thanks to everybody who tuned in and listened.

If you find this podcast insightful, please don’t forget to subscribe and please like and share us on social media too. Also, share us with everyone in your team so they too can benefit from Mike and Joe’s passion and wisdom. Once again, thanks to everybody who tuned in and listened. And remember, stay ahead of the threat. See you next time.