Mike Tyson is famous for many things, from incredible knockouts (and a bitten ear), to movies and video games, but operational technology (OT) cybersecurity isn’t one of them. It’s safe to assume that Tyson, like most anyone — even many in the IT industry — couldn’t tell you what OT cybersecurity really means or does.
Yet, a famous statement Tyson once made about fight preparation rings powerfully true when it comes to protecting America’s critical infrastructure from cyberattack, the single purpose of OT cybersecurity. When a reporter asked Tyson whether he was worried about an opponent’s fight plan, he answered, “Everyone has a plan until they get punched in the mouth.”
OT cybersecurity analysts and network administrators are in a constant fight to protect the nation’s critical infrastructure from failing as a result of cyberattack, so the wisdom in Tyson’s words shouldn’t be lost on the fact that he was a boxer. These are words to live by for OT professionals responsible for the networks that manage our food and water supply, transportation, energy, electric grids, healthcare and national defense systems — all of the crucial utilities and services that make the country function and keep us safe.
A cyberattack on America’s critical infrastructure could have a dramatic impact on the quality of life we all enjoy in the United States. Take, for example, the ransomware attack that forced the Colonial Pipeline, our nation’s largest oil pipeline, to shut down for nearly a week last year, resulting in higher gas prices and disruption to the airline industry. Or in February of 2021, when hackers compromised The Oldsmar Water Treatment Facility in Pinellas County, Florida, and increased the amount of lye in the drinking water, exposing the public to the threat of illness, and damaging pipes. This wasn’t the first time that a water system had been accessed by hackers. Just a month earlier, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay Area.
With the ever-increasing volume and sophistication of cyberattacks, OT professionals should not only plan for the network to receive punches, but expect it. Yet most OT operators don’t suspect how much they can be vulnerable and exposed. They also assume that attacks happen only to large organizations (many small water facilities are operated by non-profit organizations), or that they’re “air-gapped” in the event that an attack does occur. Air-gap means that firewalls have been deployed to fully isolate the OT network from the IT network and the rest of the world. But in today’s mobile world, where network devices are commonly internet-connected, the reliance on firewall technology alone isn’t enough. Moreover, many firewalls are configured in a “set-it-and-forget-it” mode that leads to exposed vulnerabilities over time.
There are fundamental differences between maintaining IT network security and OT network security. In general, IT systems are widely connected, ever changing, and are run using common operating systems such as Windows or MacOS. In contrast, OT systems are siloed and run autonomously on proprietary software. But the line between IT and OT gets blurred when connected devices and the Internet of Things enter the picture.
OT devices that have traditionally been kept separate from the public internet and accessible only by authorized users can now be controlled and monitored by IT systems or remotely via the internet. While this makes it easier for organizations to operate OT devices and monitor performance, it also potentially exposes the OT network to internet-based attacks.
OT network administrators need to heed Tyson’s words and prepare to be resilient to an attack. How you respond to being punched is as important as planning to receive a punch. Going down for the count is not an option in an OT environment. It’s critical that these utilities remain operational, even in the event of an attack. This is known as being “cyber resilient.”
Cyber resiliency is predicated largely on network visibility, enabling operators to gain situational awareness and to reduce the exposure of critical assets. There are two important building blocks of a comprehensive network visibility program: monitoring and modeling. Those two sides of network visibility are both crucial and complementary to each other.
Live traffic monitoring, or analytic monitoring, means understanding which assets are connecting to which services by instrumenting the network with sensors. It provides visibility on all active endpoints that communicate through network paths on which sensors have been deployed. It’s the go-to approach for threat hunting and intrusion detection.
Offline network modeling, or dynamic representation, means understanding which assets can connect to which services by building a model of the network with firewall and router configurations. It provides accurate, instant visibility of the network architecture and enables risk assessment without having to deploy any sensor or agent in the environment.
Combining network access modeling with traditional network traffic monitoring is the most comprehensive approach to achieving network visibility and cyber resiliency. If an OT network were to be attacked, the ability to identify compromised assets and exploited vulnerabilities, and detect if sensitive information is being exfiltrated, or if a connected service is misconfigured, is incredibly helpful. Having the ability to measure risks related to remote access and to simulate possible network attack paths is critical. And having the proactive verification of network segmentation, and an understanding, of critical vulnerabilities exposed on the network, is essential.
The goal for OT cybersecurity initiatives is to stay in the fight, be aware of potential vulnerabilities, and not get knocked out. Our nation’s critical networks are going to continue to take some punches — but how administrators anticipate and respond to those punches is what will set them apart.