| |

Legacy OT Risks: The Hinderances of Aging Systems – and How to Move Forward

July 15, 2024

Legacy OT Risks: The Hinderances of Aging Systems – and How to Move Forward
Legacy OT risks and how to move forward

Today, the role of a chief information security officer (CISO) comes with a heavy ethical and social responsibility. Yes, we and our teams have a primary responsibility to protect the cybersecurity of critical infrastructures that provide vital services like electricity, water, oil, gas, healthcare, and food production, to name a few. As owners of the operational technology (OT) that runs the machines in these facilities, we must focus on business resiliency, as a few minutes of downtime on a factory floor can cost a company millions of dollars – but our responsibility doesn’t stop there. 

CISOs also are responsible for the health and safety of the people who might be impacted by the devastating consequences of a major cyberattack. We must recognize that beyond a financial implication, unplanned operational disruptions from cyberattacks can cause potential safety hazards, and even death for the people directly impacted by an OT incident. 

One of the biggest cybersecurity challenges CISOs face when it comes to these responsibilities is protecting the outdated legacy systems that run many of our operations. Due to their age, these systems are difficult for security teams to properly maintain, and often impossible to protect from cyberattacks – and today’s threat actors know this. 

Recognizing the weaknesses in OT infrastructures  

Almost every major OT facility has aging legacy systems that were custom-built for a single purpose decades ago. Whether it’s a system that runs water treatment plants, or a programmable logic controller on an automotive factory floor, many of these machines were built before the internet was conceived and cybersecurity was even a concern. They were not built to connect digitally or nor did they come with built-in security measures. But thanks to IIoT proliferation, digitization, and industry 4.0, these legacy OT systems are now connected to a company network or the internet – and many of them are unprotected and at risk.  

In the IT world, when a device or system presents security risks due to age or outdatedness, the easiest solution is to buy a new one. In the OT world, however, because the systems are larger and more complex, that option is often cost-prohibitive. Consequently, CISOs are constantly dealing with legacy-related issues, such as these:  

  • Misconfigurations. As soon as connectivity was available in OT environments, many businesses quickly connected unprotected equipment, control systems, or devices directly to their networks. Without adequate security controls such as a firewall protecting these systems, these machines are now exposed on the internet with unprotected management web interfaces and ports. These are opportunities that attackers can easily use to access a company’s infrastructure and conduct malicious attacks.  
  • Lack of visibility and inventory control. Because many of these systems were installed ages ago, they do not have the monitoring or detection capabilities modern machines have today. Therefore, they can’t be seen – nor can they be protected, upgraded, or maintained, leaving CISOs with an unmanageable network topography.  
  • Patching and upgrading are challenging. In the IT world, patching and upgrading is an accepted, ongoing cybersecurity practice. But legacy OT systems are difficult to maintain not only because they are old, but also because they are highly customized, and they may no longer be supported. Even when patching and upgrading are possible, it is often cost prohibitive, because the 10 or 15 minutes of downtime it takes to update a machine could cost upwards of millions of dollars in revenue in a factory.  
  • Outdated systems are still being built. To complicate this issue even more, many OEMs who build OT equipment are still shipping unsupported systems, like Microsoft Windows 7 that can’t be patched nor protected by modern cybersecurity solutions. Oftentimes, this is a cost issue, as an upgrade requires new drivers, updated software, testing, and more. 

Working together to develop action plans   

Despite the challenges legacy OT presents, there are things that CISOs and our teams can proactively do to protect these critical yet aging systems. As an example, Schneider Electric is making a focused effort to work with customers, national authorities, and OEMs to proactively mitigate OT risks through initiatives like these.  

  • Remediating improperly configured systems within the customer base. Over the last couple of years, Schneider Electric has been working with customers to detect the unprotected web management interfaces and open IPs in their legacy systems that are linked to systems within their critical installations. Whether it is due to misconfigured or decommissioned systems, the company is helping customers identify exposures, qualify their risk exposure, and implement mitigation and prevention activities.  
  • Building awareness with national authorities. Country, regional, and local governments want to be aware of possible cybersecurity incidents that could have a negative impact on their communities and constituents. Schneider Electric is working with these authorities to make them aware of the potential crises associated with unprotected OT systems and encouraging them to spearhead initiatives to address these cybersecurity risks.   
  • Encouraging cybersecurity best practices with OEMs. Schneider Electric also recognizes the value of its partnership with OEMs and the company is working with its suppliers to implement best practices that improve cybersecurity. As an example, the company follows a secure-by-design development lifecycle process that has been certified to comply with the ISA/IEC 62443-4-1 cybersecurity standard. If OEMs were to follow the same practice, it would eliminate the building and shipping of outdated, unsecure, and unprotected equipment. In addition, Schneider Electric encourages its OEMS to release timely patches and firmware updates immediately upon identifying known vulnerabilities that could compromise OT systems.  

Let’s work together to protect OT systems – and the people impacted by them 

Aging legacy OT systems most likely will remain on a CISO’s shortlist of cybersecurity concerns for quite a while, but we are not powerless. We all share the same responsibilities – and the commitment to make the world a safer, better place by doing our best to protect our OT infrastructures.  

Schneider Electric CISOs and our teams are diligently working with customers from all types of companies, both large and small, to protect our infrastructures and all the people that are associated with them. We hope the initiatives shared here in this blog inspire others who face the same issues to consider adopting these practices – or even better, to develop their own and share them with the world like we have here. 

About the Author

Andre Shori – APAC Vice President & Chief Information Security Officer (CISO)
Legacy OT Risks: The Hinderances of Aging Systems – and How to Move Forward

Andre is the Asia Pacific Cybersecurity Vice President and Chief Information Security Officer at Schneider Electric, where he is responsible for leading, animating and implementing the IT and OT cybersecurity programs for the Asia Pacific region.  

Andre brings over 30 years of cyber experience, a SANS Technology Institute Master of Science in Information Security Management, and 18 major cybersecurity certifications. As Regional CISO for Schneider Electric, Andre’s mission is to continuously advance and mature the cybersecurity posture for his regional ecosystem of customers, partners and employees. 

He adopts an approach of being constantly risk-informed while implementing defence-in-depth to ensure that cyber risks to Schneider Electric’s IT and OT systems are deterred, detected, and defused to the maximum extent possible.

Andre also serves as an Executive Board Member of the (ISC)2 Singapore Chapter and Vice President of the Association of Information Security Professionals (AiSP), where he strives to advance the cybersecurity profession through a network of cross-border partnerships with other professional associations.   

Source

Related Story

Upgrading Legacy Control Systems to Current Technology Using Schneider Electric’s Solutions and Guillevin Automation 

When a legacy control system is no longer supported by the manufacturer, an upgrade is required. To facilitate an easy migration, Guillevin Automation can assist you in this process with the right products and solutions. This article looks at how technologies from Schneider Electric can help.

Related Articles



Editor’s Pick: Featured Article

Weidmüller’s u-control 2000: The Automation Controller

Weidmüller’s u-control 2000: The Automation Controller

Weidmüller’s scalable engineering software, u-control 2000, adapts individually to your requirements. And, the u-control is powerful, compact and fully compatible with Weidmüller’s I/O system u-remote. This article looks at what makes u-control the heart of your automation.

Programmable logic controllers (PLCs) are one of the main components of any automated system. A typical control system has inputs, outputs, controllers (i.e., PLCs), and some type of human interaction with the system, a human machine interface (HMI), for example.

Read More



Latest Articles

  • Rethink Robotics Rises from the Ashes, Better, Faster, Stronger

    October 28, 2024 By Krystie Johnston Rethink Robotics is making a powerful comeback. They recently relaunched, rebranded, and revealed a new lineup of products at IMTS 2024. Their Rethink Reacher cobots have been designed for precision and performance, their Rethink Ryder autonomous mobile robots (AMRs) offer effortless efficiency, and their Rethink Riser elevates operations by… Read More…

  • Servo and Other PWM Motors in Semiconductor Manufacturing

    October 24, 2024 By Vladimir Kraz/OnFILTER vkraz@onfilter.com Semiconductor manufacturing is largely fully automated. The only time any device – from the wafers to the packaged ICs – is handled manually is when these components are already “dead.” The same is largely true for automated PCB assembly (PCBA) with some exceptions for manually inserted components, rework,… Read More…