What Mike Tyson can teach us about OT network security
Mike Tyson is famous for many things, from incredible knockouts (and a bitten ear), to movies and video games, but operational technology (OT) cybersecurity isn’t one of them. It’s safe to assume that Tyson, like most anyone — even many in the IT industry — couldn’t tell you what OT cybersecurity really means or does.
Yet, a famous statement Tyson once made about fight preparation rings powerfully true when it comes to protecting America’s critical infrastructure from cyberattack, the single purpose of OT cybersecurity. When a reporter asked Tyson whether he was worried about an opponent’s fight plan, he answered, “Everyone has a plan until they get punched in the mouth.”
OT cybersecurity analysts and network administrators are in a constant fight to protect the nation’s critical infrastructure from failing as a result of cyberattack, so the wisdom in Tyson’s words shouldn’t be lost on the fact that he was a boxer. These are words to live by for OT professionals responsible for the networks that manage our food and water supply, transportation, energy, electric grids, healthcare and national defense systems — all of the crucial utilities and services that make the country function and keep us safe.
A cyberattack on America’s critical infrastructure could have a dramatic impact on the quality of life we all enjoy in the United States. Take, for example, the ransomware attack that forced the Colonial Pipeline, our nation’s largest oil pipeline, to shut down for nearly a week last year, resulting in higher gas prices and disruption to the airline industry. Or in February of 2021, when hackers compromised The Oldsmar Water Treatment Facility in Pinellas County, Florida, and increased the amount of lye in the drinking water, exposing the public to the threat of illness, and damaging pipes. This wasn’t the first time that a water system had been accessed by hackers. Just a month earlier, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area.
With the ever-increasing volume and sophistication of cyberattacks, OT professionals should not only plan for the network to receive punches, but expect it. Yet most OT operators don’t suspect how much they can be vulnerable and exposed. They also assume that attacks happen only to large organizations (many small water facilities are operated by non-profit organizations), or that they’re “air-gapped” in the event that an attack does occur. Air-gap means that firewalls have been deployed to fully isolate the OT network from the IT network and the rest of the world. But in today’s mobile world, where network devices are commonly internet-connected, the reliance on firewall technology alone isn’t enough. Moreover, many firewalls are configured in a “set-it-and-forget-it” mode that leads to exposed vulnerabilities over time.
There are fundamental differences between maintaining IT network security and OT network security. In general, IT systems are widely connected, ever changing, and are run using common operating systems such as Windows or MacOS. In contrast, OT systems are siloed and run autonomously on proprietary software. But the line between IT and OT gets blurred when connected devices and the Internet of Things enter the picture.
OT devices that have traditionally been kept separate from the public internet and accessible only by authorized users can now be controlled and monitored by IT systems or remotely via the internet. While this makes it easier for organizations to operate OT devices and monitor performance, it also potentially exposes the OT network to internet-based attacks.
OT network administrators need to heed Tyson’s words and prepare to be resilient to an attack. How you respond to being punched is as important as planning to receive a punch. Going down for the count is not an option in an OT environment. It’s critical that these utilities remain operational, even in the event of an attack. This is known as being “cyber resilient.”