So what exactly is legacy infrastructure? Why does it need protection?In contrast to the latest and advanced equipment used in modern smart industries such as smart grids or smart factories, legacy equipment is generally dated and in some cases 20, 30 or even more years old. This equipment still works and is often not replaced, sometimes owing to the enormous capital expenditure required for an upgrade. At times, such equipment does not even understand IP (Internet Protocol), as the communication protocol and may use some proprietary communication mechanism. Here the task of updating becomes ever-daunting, as what's required is to overhaul not only the control system equipment but the network infrastructure, as well. Another big challenge with some of these dated control systems is they run old and sometimes outdated versions of operating systems or application software that are no longer supported by their manufacturers or even by the software development community. Such systems leave vulnerabilities unpatched, making them insecure to attacks and exploits. To add to it, these at times also do not support SSL (Secure Socket Layer) and/or TLS (Transport Layer Security) to provide authentication and encryption of the communication channel itself. Similarly, for devices that do support SSL and/or TLS, their versions are mostly outdated and unpatched. Even the availability of a software upgrade or patch does not address the final problem, as several of these systems do not upgrade at all. The impediments include remote and hard-to-reach locations of these systems and a complex upgrade procedure. Moreover, the mere upgrade process makes the system unavailable for the upgrade duration that is unacceptable downtime for critical infrastructure. All these shortcomings make these systems vulnerable to exploits, and once compromised, it is extremely hard to detect and remediate owing to the same reasons as the ones for not upgrading them. These exploits not only make the control system unavailable for normal operations; they create severe and catastrophic damage to the entire industrial operation, as well.
Three ways to protect your legacy infrastructure
Secure your end pointsThe endpoints that include a mélange of control system equipment such as remote terminal units (RTUs), programmable logic controllers (PLCs), intelligent electronic devices (IEDs), etc. should be made secure by allowing only those communication messages to reach them for which they are designed to operate. Snubbing out any and all unnecessary traffic from the communication channel leading up to the endpoint prevents it from being exposed to an exploit or an attack. There is a general notion within the industrial control system environment: “if it is not broken don’t fix it.” As long as the control system is working as expected, there is always a risk of destabilizing it by doing a software upgrade or maintenance. However, on the other hand, there is always a need to upgrade the system in order to protect it from vulnerabilities or protocol exceptions. In such cases, a protocol anomaly detection firewall, also called as a Deep Packet Inspection Firewall (since it not only looks at the packet headers but also the protocol message content deep within the packet to apply a filter), is a necessary means for allowing only valid and safe protocol messages to reach the end device, thereby alleviating the need for patching software vulnerabilities.
Secure your networkOften the network communication protocols used by legacy devices are themselves not secure inherently. Even when a certain level of security is present, it is limited to weaker versions of SSL or SSH (Secure Shell) that can be easily broken or exploited. It is extremely important to secure these communication channels to prevent man-in-the-middle attacks, thereby avoiding any dangerous impact to the control system. One of the ways to secure this channel is by encrypting the communication over an IPSec VPN (Virtual Private Network) tunnel. A VPN gateway facing a single or a bunch of control system endpoints ensure these messages are encrypted using strong algorithms that are practically impossible to break. In case the endpoints are not IP-enabled, such as legacy serial devices transmitting Modbus, Profinet or similar protocol messages, the edge terminal sever that is converting the serial data into TCP/IP should secure the IP network before its transmission. Many methods can be employed to achieve this security, SSL and IPSec VPN being the most prominent ones.