The Cyber-Physical Truth: What We Get Wrong About Attacks on Critical Infrastructure

The Cyber-Physical Truth: What We Get Wrong About Attacks on Critical Infrastructure

In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joseph M. Saunders and Danielle “DJ” Jablanski, Cybersecurity Consulting Program Lead for Operational Technology at STV and former OT Cybersecurity Strategist at CISA, to examine what defenders often get wrong about attacks on critical infrastructure. With experience across government, threat intelligence, engineering, and industrial environments, DJ explains why sectors like water, rail, energy, and manufacturing require a different way of thinking about cybersecurity. Together, they explore: * How cyber-physical risk differs from traditional IT risk * Why attacks can target engineering logic, process variables, and safety systems * The challenge of securing long-lived OT assets and heterogeneous environments * How visibility, asset identification, and segmentation shape OT defense * Why secure-by-design and secure-by-demand both matter * Why patching alone cannot keep up with distributed critical infrastructure From water systems to transportation networks, this episode breaks down what security leaders, asset owners, OEMs, and operators must understand to stay ahead of cyber-physical threats.

You Can’t Patch Your Way Out of This: What Mythos Means for the Future of Cybersecurity

In this episode of Exploited: The Cyber Truth, RunSafe Security Founder and CEO Joe Saunders and EVP and CSO Doug Britton join us for a strategic discussion on what Anthropic’s “Mythos moment” means for the future of cyber defense. Joe and Doug explore why AI-driven vulnerability discovery marks a fundamental turning point for enterprises, critical infrastructure, and national security. As AI accelerates the discovery and weaponization of vulnerabilities, traditional patch-and-remediate strategies are becoming increasingly unsustainable, especially for safety-critical and mission-critical systems that cannot be patched quickly or frequently. Together, Joe and Doug examine: * Why “find and fix” alone cannot scale in the AI era * How AI is shifting the balance between attackers and defenders * Why patch timelines are widening as vulnerability discovery accelerates * The growing need for resilience-based cybersecurity * How organizations can reduce exploitability without rewriting legacy systems * Why mitigation technologies are becoming essential for critical infrastructure and national security Whether you secure embedded systems, manage cyber risk across critical infrastructure, or lead product security strategy, this episode makes the case for a new approach: one built not around chasing every vulnerability faster, but around ensuring systems remain resilient even when flaws exist.

The Next Cyber Crisis Won’t Be One Hospital—It Could Be the Entire Health System

In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joe Saunders and Greg Garcia, Executive Director for Cybersecurity of the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, to examine how ransomware, third-party dependencies, and interconnected healthcare infrastructure are shaping cyber risk across the healthcare sector. Drawing on experience spanning DHS, critical infrastructure protection, and healthcare cybersecurity coordination, Garcia explains how disruptions at a single vendor or service provider can cascade across hospitals, pharmacies, insurers, and patients nationwide. Together, they explore: * Why healthcare cyber risk is shifting from isolated breaches to systemic disruption * How ransomware and third-party compromises create cascading operational impacts * Lessons from the Change Healthcare ransomware attack * The growing challenge of securing connected healthcare systems and medical devices * Why patching alone cannot keep pace with modern cyber threats * The role of collaboration and resilience in protecting critical healthcare infrastructure From healthcare providers and medical device manufacturers to policymakers and critical infrastructure leaders, this episode explores what organizations must understand to prepare for the next generation of healthcare cyber threats.

Trust at Machine Speed: AI, DevSecOps, and Zero Trust in National Security Software

Artificial intelligence is moving faster than the policies, security controls, and acquisition processes designed to govern it—especially in national security environments where preventing failure is mission-critical. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by Nicolas Chaillan, the host of In the Nic of Time and Former DAF CSO, to examine a central question: how do you build trust in systems that operate, adapt, and make decisions at machine speed? Drawing on his experience deploying DevSecOps across the Department of Defense and building large-scale AI platforms, Chaillan offers a direct perspective on what’s working, what isn’t, and where organizations are falling behind. Together, they explore: * Why multi-model AI strategies are critical to avoid lock-in and improve outcomes * How AI is accelerating software development, testing, and security workflows * Where policy and governance are lagging behind technical reality * The risks of restricting access to critical AI capabilities * What zero trust looks like in systems driven by automation and AI From defense systems to software pipelines, this episode examines what it takes to move fast without losing control—and what leaders need to understand as AI becomes embedded across the mission stack.

The Invisible Attack Surface: Cybersecurity for Embedded Systems

Embedded systems power everything from critical infrastructure to defense systems, yet vulnerabilities in those systems often go unseen and unaddressed. In this episode of Exploited: The Cyber Truth, host Paul Ducklin is joined by RunSafe Security CEO Joe Saunders and special guests Mario Zuniga and Matt Janson of MITRE to discuss the “invisible attack surface” lurking within embedded and cyber-physical systems. Drawing on their frontline experience in cyber operations and resiliency engineering, Mario and Matt explain why embedded systems demand a fundamentally different approach to cybersecurity. From limited patching capabilities and long system lifecycles to unique hardware and firmware attack vectors, traditional IT security models fall short in these environments. Together, they discuss: * Why embedded systems are often overlooked in cybersecurity strategies * How attackers exploit firmware, hardware interfaces, and air-gapped environments * The challenges of securing systems that must remain operational for decades * The role of MITRE’s embedded threat matrix (ESTEEM) in mapping adversary behavior * Why resilience—not just prevention—is key to defending critical infrastructure From industrial control systems to national defense, this episode reveals what it takes to secure the technologies that quietly underpin modern society and why the time to act is now.