Podcast: How Real-World Device Vulnerabilities Are Fueling Cybersecurity Risks in Industrial Operations
What You'll Learn
- How a recent penetration test revealed surprising weaknesses in common industrial networking devices.
- Why small design choices in plant-floor equipment can turn into major cybersecurity risks.
- What role collaboration plays between vendors, agencies, and security teams when flaws are discovered.
- Which basic practices can help manufacturers strengthen device security without disrupting operations.
- How growing exposure of industrial control systems is reshaping the way plants think about cybersecurity resilience.
In this episode of Great Question: A Manufacturing Podcast, Senior Security Engineer Trae Mazza of RMC Global walks through a real-world penetration test that uncovered two major vulnerabilities in Siemens' RuggedCom industrial networking devices—used widely in manufacturing and utilities. The discovery, since patched with CISA and Siemens' cooperation, shows how small design oversights can create serious operational risks. Mazza explains how issues like weak authentication, default passwords, and outdated firmware expose plant-floor devices to cyber threats, and what steps manufacturers can take to protect uptime and equipment reliability.
Below is an excerpt from the podcast:
SA: Hello, everyone, and welcome to another great episode of the Great Question in Manufacturing podcast, another one brought to you by Smart Industry. I'm Scott Achelpol, SI's Head of Content, and I'm joined for this episode by Trae Mazza, who is Senior Security Engineer at RMC Global, where he specializes in offensive security with a focus on embedded device assessments. Based in Arlington, Virginia, RMC provides industrial cybersecurity, risk management, and resiliency solutions for critical infrastructure and critical missions for government and commercial organizations.
RMC this month received two significant certifications: CMMC Level 2 and ISO 9001:2015. We first encountered Trae when he gave us a proposed contributed story on his and his company's investigation after a penetration test for a client in early 2025 into two hidden cybersecurity gaps in Siemens’ RuggedCom Roxos II industrial-built network devices, which are commonly used in harsh environments to support critical infrastructure communications.
Thanks to Trae and RMC, the gaps were reported to the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, and patched this spring with cooperation from Siemens. We published Trae's story with Siemens' response and thanks on October 1st. The piece was a fascinating case study into the security gaps in industrial networks and devices due to vendor constraints, financial limitations, legacy technologies, and operational demands that prioritize uptime over cybersecurity.
It was an amazing peek at just how vulnerable OT is and what needs to be done to correct it. I'll note the breaking news of a BitSight report that global exposure of industrial control systems and IT devices surged from 160,000 devices visible each month to 180,000 devices visible just last year. This rise reverses years of reduction and is expected to exceed 200,000 by the end of the year.
This means the attack surface in industrial OT is wider than ever. The problem is that organizations still rely on enterprise IT-grade firewalls and endpoint tools that were never designed to secure factory environments, where uptime is the top priority over data privacy. The gap between IT and OT leaves assets exposed and hard to secure.
So we invited Trae to join us on the podcast to review how the case with the Siemens network device came about and what else he’s seeing with vulnerabilities in OT equipment of this type. At Smart Industry, we're covering cybersecurity—especially on the OT side, but also IT quite often now. So, Trae, welcome to the program.
TM: Thanks, Scott. I really appreciate the invite to the pod. It's great to be here. So this penetration test—or pen test, for short—on the RuggedCom device was an interesting one for us at RMC. It really highlighted how small oversights in industrial gear and applications can turn into really big cybersecurity risks.
The RuggedCom device that I was assessing was a RuggedCom RX1400, which is often used as a gateway into industrial networks, as it has router, firewall, and switch features. So, as an authenticated user to the embedded web UI on the device, and with the ability to upload configuration files and run network utilities, I was able to chain together an arbitrary file upload in the "install files" feature—which was discovered by my coworker, Zach Levine (shout out to Zach)—with an operating system command/argument injection in the device's TCPdump utility that led to full root access on the underlying device operating system.
So, really excited to be here and talk about what we learned and how it connects to the broader OT security landscape as a whole.
SA: Industrial networks are supposed to be engineered for resilience, but the case of the RuggedCom RoxOS II security gaps is by no means the only flaw found and patched. Describe some other cases you're working on right now for RMC, in as much detail as you can give us.
TM: First, for the audience's sake, let me take a step back and explain how I even get a hold of these devices and find these kinds of issues or vulnerabilities.
RMC is embedded within the procurement process of a few critical infrastructure companies, specifically within the utility sectors like power and gas. So when they plan to bring in a new device or application or any kind of system into their operational networks—whether that be electrical substations, power generation plants, or a SCADA environment—they'll have us come in, they'll have RMC come in, and perform a pen test to find any vulnerabilities or security shortcomings on their devices.
Generally, in the past, the vulnerabilities that we find have been reported to our clients and then disclosed to the vendors privately. But I've been pushing more and more for transparent reporting of vulnerabilities with our clients, and I've started to make headway with that effort—this RuggedCom issue being one of the first times.
So, back to your question: my team and I just wrapped up an assessment on a SCADA system where we were able to break out of a read-only monitoring application and compromise the underlying Windows host. This was a pretty big deal because it was the only system in this environment that crossed the IT/OT boundary, and so there should be another CVE coming out for this in the near future. So keep your eyes on the CISA CVE feed.
Right now, I'm working on another industrial networking device that suffers from some of the very common vulnerabilities that plague the OT and embedded device space, such as no password policies for users—so a user could just make a password that’s the letter "A"—lack of brute-force limiting, and vendor test accounts that are hidden or present in production releases. While these may be less critical in the attack chain than what we discovered in RuggedCom, they're still important to find, discover, and report.
About the Podcast
Great Question: A Manufacturing Podcast offers news and information for the people who make, store and move things and those who manage and maintain the facilities where that work gets done. Manufacturers from chemical producers to automakers to machine shops can listen for critical insights into the technologies, economic conditions and best practices that can influence how to best run facilities to reach operational excellence.