Legacy OT risks: The hinderances of aging systems – and how to move forward

This audio was created using Microsoft Azure Speech Services

Today, the role of a chief information security officer (CISO) comes with a heavy ethical and social responsibility. Yes, we and our teams have a primary responsibility to protect the cybersecurity of critical infrastructures that provide vital services like electricity, water, oil, gas, healthcare, and food production, to name a few. As owners of the operational technology (OT) that runs the machines in these facilities, we must focus on business resiliency, as a few minutes of downtime on a factory floor can cost a company millions of dollars – but our responsibility doesn’t stop there. 

CISOs also are responsible for the health and safety of the people who might be impacted by the devastating consequences of a major cyberattack. We must recognize that beyond a financial implication, unplanned operational disruptions from cyberattacks can cause potential safety hazards, and even death for the people directly impacted by an OT incident. 

One of the biggest cybersecurity challenges CISOs face when it comes to these responsibilities is protecting the outdated legacy systems that run many of our operations. Due to their age, these systems are difficult for security teams to properly maintain, and often impossible to protect from cyberattacks – and today’s threat actors know this. 

Recognizing the weaknesses in OT infrastructures  

Almost every major OT facility has aging legacy systems that were custom-built for a single purpose decades ago. Whether it’s a system that runs water treatment plants, or a programmable logic controller on an automotive factory floor, many of these machines were built before the internet was conceived and cybersecurity was even a concern. They were not built to connect digitally or nor did they come with built-in security measures. But thanks to IIoT proliferation, digitization, and industry 4.0, these legacy OT systems are now connected to a company network or the internet – and many of them are unprotected and at risk.  

In the IT world, when a device or system presents security risks due to age or outdatedness, the easiest solution is to buy a new one. In the OT world, however, because the systems are larger and more complex, that option is often cost-prohibitive. Consequently, CISOs are constantly dealing with legacy-related issues, such as these:  

• Misconfigurations. As soon as connectivity was available in OT environments, many businesses quickly connected unprotected equipment, control systems, or devices directly to their networks. Without adequate security controls such as a firewall protecting these systems, these machines are now exposed on the internet with unprotected management web interfaces and ports. These are opportunities that attackers can easily use to access a company’s infrastructure and conduct malicious attacks.  
• Lack of visibility and inventory control. Because many of these systems were installed ages ago, they do not have the monitoring or detection capabilities modern machines have today. Therefore, they can’t be seen – nor can they be protected, upgraded, or maintained, leaving CISOs with an unmanageable network topography.  
• Patching and upgrading are challenging. In the IT world, patching and upgrading is an accepted, ongoing cybersecurity practice. But legacy OT systems are difficult to maintain not only because they are old, but also because they are highly customized, and they may no longer be supported. Even when patching and upgrading are possible, it is often cost prohibitive, because the 10 or 15 minutes of downtime it takes to update a machine could cost upwards of millions of dollars in revenue in a factory.  
• Outdated systems are still being built. To complicate this issue even more, many OEMs who build OT equipment are still shipping unsupported systems, like Microsoft Windows 7 that can’t be patched nor protected by modern cybersecurity solutions. Oftentimes, this is a cost issue, as an upgrade requires new drivers, updated software, testing, and more. 

Working together to develop action plans   

Despite the challenges legacy OT presents, there are things that CISOs and our teams can proactively do to protect these critical yet aging systems. As an example, Schneider Electric is making a focused effort to work with customers, national authorities, and OEMs to proactively mitigate OT risks through initiatives like these.  

• Remediating improperly configured systems within the customer base. Over the last couple of years, Schneider Electric has been working with customers to detect the unprotected web management interfaces and open IPs in their legacy systems that are linked to systems within their critical installations. Whether it is due to misconfigured or decommissioned systems, the company is helping customers identify exposures, qualify their risk exposure, and implement mitigation and prevention activities.  
• Building awareness with national authorities. Country, regional, and local governments want to be aware of possible cybersecurity incidents that could have a negative impact on their communities and constituents. Schneider Electric is working with these authorities to make them aware of the potential crises associated with unprotected OT systems and encouraging them to spearhead initiatives to address these cybersecurity risks.   
• Encouraging cybersecurity best practices with OEMs. Schneider Electric also recognizes the value of its partnership with OEMs and the company is working with its suppliers to implement best practices that improve cybersecurity. As an example, the company follows a secure-by-design development lifecycle process that has been certified to comply with the ISA/IEC 62443-4-1 cybersecurity standard. If OEMs were to follow the same practice, it would eliminate the building and shipping of outdated, unsecure, and unprotected equipment. In addition, Schneider Electric encourages its OEMS to release timely patches and firmware updates immediately upon identifying known vulnerabilities that could compromise OT systems.  

Let’s work together to protect OT systems – and the people impacted by them 

Aging legacy OT systems most likely will remain on a CISO’s shortlist of cybersecurity concerns for quite a while, but we are not powerless. We all share the same responsibilities – and the commitment to make the world a safer, better place by doing our best to protect our OT infrastructures.  

Schneider Electric CISOs and our teams are diligently working with customers from all types of companies, both large and small, to protect our infrastructures and all the people that are associated with them. We hope the initiatives shared here in this blog inspire others who face the same issues to consider adopting these practices – or even better, to develop their own and share them with the world like we have here.