Legacy Systems: Rip and Replace or Keep Them Going?

SIA Cybersecurity Advisory Board is a Champion of Cybersecurity Awareness Month. Do your part. Be Cyber Smart.

October is Cybersecurity Awareness Month, and the Security Industry Association (SIA) Cybersecurity Advisory Board is marking the occasion with a series of blogs, articles and videos containing helpful tips and guidance on key cybersecurity topics. In this blog from SIA Cybersecurity Advisory Board Vice Chair Antoinette King – founder of Credo Cyber Consulting – learn about legacy systems and the business risks and costs associated with them, along with key tips and steps for securing these systems.

Antoinette King headshot
Antoinette King, founder of Credo Cyber Consulting, serves as vice chair of the SIA Cybersecurity Advisory Board.

The present state of digital dependency is often referred to as Industry 4.0. This next-phase industrial revolution includes reliance on automation and data exchange for systems to operate efficiently, to provide business intelligence and for national security intelligence. Some of these systems include cyber-physical systems, the commercial and consumer Internet of Things (IoT) and the Industrial Internet of Things. (IIoT). This latest industrial revolution sits on the heels of the “Digital Revolution” occurring in the late 20th century, where analog systems began to rely on computers to operate. Why is this brief history lesson important? Many organizations, especially those in critical infrastructure, that were early adopters of computing technology have been using the same industrial control systems (ICS) technology for decades. These systems were expensive, and, let’s face it, they work. With the long life cycle of ICS, organizations are often reluctant to invest in changing or transitioning to more state-of-the-art systems. Reliance on these legacy systems makes these organizations prime targets for bad actors and cybercriminals.

Anatomy of a Legacy System

Organizations invest a lot of resources in the systems that they use for daily operations. These systems include hardware and software that the systems run on and human operators to operate and maintain the systems, as well as the public facing operations that include services and products for the consumers. In many cases, these systems are mission critical to an organization, such as production equipment, and to entire communities, as in the case of electrical grids. To gain the greatest return on investment, these systems are used for as long as they can be. In some cases, organizations have built entire ecosystems around these technologies, layering other newer technology on top and creating a complicated and thoroughly entangled system of systems established over generations of employees. Scrapping these legacy systems and replacing them with new technology requires a massive financial investment to procure and test the technology, as well as investment in time and human resources in the creation of new processes and training on the new system.

Business Risks of Employing Legacy Systems

Understanding the risks that come with continuing to employ legacy systems is an important part of making the decision as to when is the right time to upgrade. Some of the risks include lack of manufacturer support for software and hardware components, lack of personnel skilled to run and maintain these systems creating insider risk and the inability of these systems to support the modern work environment. Most manufacturers have a seven- to 10-year lifecycle on support of legacy hardware and software. Two major reasons for this timeline are hardware components becoming obsolete and changes in software coding operations. In the case of IIOT, many of the ICS technology operate on older operating systems (OS). Once an OS is no longer supported by the manufacturer, as is the case with Windows XP, for example, security patches and bug fixes are no longer provided. With the inability to close the loop on vulnerabilities, the entire solution becomes a security risk. In some cases, the software that runs the ICS cannot be updated once the OS is obsolete, because the OS will not support the update. This is one of the paradoxes of working with legacy systems.

As systems grow older, so do the employees with the expertise to operate and maintain them. The pool of talent with an understanding of the inner workings of these complex systems of systems also grows smaller. This lack of knowledge of legacy systems provides an opportunity for intentional and unintentional insider risk, as well as external risk via exploitation by cyber bad actors. People with malintent, whether insiders or external to the organization, may use the opportunity to exploit the legacy system recognizing older technology has implicit vulnerabilities, whereas others may unintentionally make changes to the system without a thorough understanding of the complex nature of the ecosystem causing down time with catastrophic impact to the organization.

The recent pandemic has changed the face of how businesses operate. The borderless facility creates a challenge for organizations that run legacy systems because they were not built to support the remote workforce or the workforce of the future. Organizations have been forced to create workaround solutions that can put the entire business operation at risk and increase the attack surface for cybercriminals by exposing the critical system directly to the internet.

The Cost of Legacy Systems

Businesses need to assess the intrinsic costs of running legacy systems as compared to the costs of building a new system. Some of these costs may include

  • Maintenance
  • Staffing and training
  • Lack of documentation
  • When the data is created and stored is in an older format, making it difficult to convert.

Despite these costs of keeping legacy systems, there are instances where a “rip and replace” is just not feasible. For example, there are situations in which it is far too costly to create a duplicate system with newer technology, the system is detrimental to operations and cannot be offline for a transition or simply it works well and the business disruption to retrain staff is not ideal.

Six Steps to Securing Legacy Systems

Here are some steps that can be taken to harden these high-risk targets:

  1. Conduct a risk assessment
  2. Identify and isolate legacy systems
  3. Determine what systems can be upgraded and create a plan
  4. Remove all legacy systems from being Internet-facing
  5. Harden all infrastructure surrounding the legacy system
  6. Create strong policy around the who, what and when people have access to these legacy systems

Keeping legacy systems is sometimes necessary; however, if organizations are not creating a plan to secure your legacy systems, they are on a sure-fire path to becoming a victim of a cyberattack. The financial and reputational costs of dealing with and remediating a cyber-related incident will far outweigh the cost of implementing technology and policy to insulate your legacy systems from unwanted intrusions. It is incumbent on organizations to identify their legacy systems and seek out options around protecting access to those systems; this is necessary to protect not only the organization, but its customers as well.