What a box of American breakfast cereal can still teach us about cyber security, OT and legacy risk

• by Olivia Lawlor-Blackburn
• Advent IM Blog

One of the most famous stories from the early days of hacking did not involve sophisticated code, advanced persistence or organised cyber crime. It involved a plastic whistle found in boxes of Cap’n Crunch, an American breakfast cereal.

In the early 1970s, phone phreaks discovered that the whistle could generate a 2600 Hz tone. At the time, parts of the telephone network relied on that tone within the signalling process used to route long-distance calls. In simple terms, the network trusted a signal that could be reproduced far too easily. That trust could then be abused.

It is a strange little story from computing history, but the lesson is a serious one. Systems often fail not because they are smashed apart, but because they accept the wrong thing as legitimate.

It is tempting to treat that story as a charming relic from a more innocent era of technology. It is not. The technology has changed beyond recognition, but the underlying problem remains very familiar.

Across industry, government and critical services, many organisations still depend on operational technology and legacy systems that were not designed with modern cyber threats in mind. These environments often sit outside the centre of day-to-day cyber discussions, partly because they are specialist, partly because they are difficult to change, and partly because people are understandably nervous about disrupting live operations. The result is that they can remain exposed for years while attention is focused on more conventional IT risks.

That is a problem, because operational technology is often where cyber risk becomes operational risk in the most literal sense. If business IT fails, you may lose productivity. If OT fails, you may lose visibility, control, service continuity, safety margin, product integrity or public trust. In some sectors, that can quickly become a matter of national resilience as well as commercial resilience.

The awkward truth is that OT and legacy environments are often harder to protect than ordinary business networks. A modern laptop fleet can usually be patched, monitored and rebuilt with relative speed. A legacy control system, industrial device, telecoms platform or estate-management system may depend on outdated software, proprietary protocols, unsupported components or vendor restrictions. It may have been designed for reliability and longevity rather than authentication, integrity and secure remote access. It may need to run continuously. It may not tolerate scanning. It may not even have a straightforward route to upgrade.

This is why the old split between “IT security” and “everything else” no longer works. Attackers do not care about our organisational charts. They care about paths, access, trust relationships and weak assumptions. If an old system is connected, accessible, insufficiently segmented or trusted too broadly, it becomes part of the attack surface whether the business likes it or not.

The answer is not to panic, and it is not always to demand wholesale replacement. In many environments that is unrealistic. The sensible path is to be honest about constraints while still taking action. That starts with asset visibility. Many organisations still do not have a reliable picture of what exists in their OT estate, how it communicates, what depends on it, and where remote access or third-party support arrangements create hidden exposure.

From there, the focus should move to segmentation, secure connectivity, tighter access control, monitoring, strong change control and compensating controls around systems that cannot yet be patched or replaced.

This is also a governance issue, not merely a technical one. Boards and senior leaders do not need to become engineers, but they do need to understand where legacy and operational risk sits inside the wider risk picture. They should know which systems are ageing, which are unsupported, which are operationally critical, what dependencies exist, what assumptions are being made about resilience, and what the roadmap is for reducing exposure over time.

That is why the Cap’n Crunch story still matters. It reminds us that exploitation often begins with a system trusting a signal, process or component that no longer deserves that trust. The old phone network was not breached through cinematic genius. It was manipulated because its design assumptions could be imitated from the outside.

Plenty of modern organisations are living with the same basic flaw in more expensive clothing.

Different decade, different technology, same uncomfortable truth.

If a system is old, connected, hard to change and still deeply trusted, it deserves more attention, not less.

-Ellie Hurst, Director, Advent IM