November 8, 2016

Manufacturing industries in the crosshairs: legacy systems can make a tempting cyber attack target

Tomi Behm

Lead Security Services Product Manager, Tieto

A surprisingly big portion of daily business runs on old operating systems that are no longer supported or will soon be out of support. In fact, it has been estimated that a whopping 80 percent of the world's IT systems are running on platforms that may not yet be completely unsupported but can be termed as "legacy" platforms.

Reasons for running old and unsupported operating systems are many. Often they interface other software and/or hardware that doesn't work with newer systems, making updating impossible until it's time for a wholesale update cycle.

Even if updating is possible, it may be deemed as unnecessary – if it works, why fix it? In smaller businesses, one of the reasons may even be an emotional attachment to tried and trusted workflows. (One of the classical sins of IT professionals is to omit human feelings!)

Legacy systems are especially prevalent in manufacturing industries. These older systems are often used to run manufacturing lines and they still do a good job at what they are supposed to. It's hard to convince company leadership to invest in new technology for doing the same old thing in exactly the same way.

The problem, of course, is that what is seen as a reliable workhorse by production people, is a cyber attack vector for IT security and risk management people. Most alarmingly, as the world is currently interconnecting under the umbrella term "industrial internet", systems that in the past were isolated, sometimes not even networked, are suddenly being connected to the other corporate IT systems that again are Internet connected. So sometimes the departments responsible for running the legacy environments are not even aware that they are suddenly been exposed to the internet.  

Time is not on your side

Some experts have estimated that while financial and consumer targets get most of the press, manufacturing is in fact the most targeted sector for cyber attacks at the moment. The attacker may target the manufacturing organization itself for espionage or sabotage, or the goal may be to use it as a platform for attacks elsewhere.

The recent massive internet outage was caused by a massive botnet of enslaved cameras, DVRs and other poorly protected internet-of-things devices. This attack used consumer hardware, but nothing prevents attackers from using industrial settings instead.

It's possible to construct a relatively secure system from the ground up, but the common wisdom is that a system that was relatively secure on the day it was taken into use becomes more insecure over time. Threats and technologies evolve and new vulnerabilities are found on different levels of the used technology stack. In addition, the attackers have more and more computing power at their disposal.  

For instance, what might have been the best practice for storing passwords may be outdated by now.

Assess the risk

In an ideal world, all systems would always be up-to-date. However, getting rid of all legacy systems is unrealistic, and even if it was possible, the current state-of-the-art would be legacy in the future, anyway.

The sensible move is to assess risks associated with legacy systems and take necessary actions. Some things to consider:

  • Find out how much old and vulnerable systems you have, where they are, and what kind of role they play in running the business.
  • Run a vulnerability scan against the systems or the network those systems live on. This tells you how potential attackers see the network.
  • Consider hardening procedures on systems. The problem is that hardening is tricky to do to stand-alone machines, which are quite common in manufacturing industries. Hardening may also cause legacy applications to stop working.
  • In the long run, the easiest and most effective way to get protection and visibility is to shield legacy systems on network level, using Intrusion Protection System and Next Generation Firewall setup. Here, it is critical to know the legacy ware and to continuously observe notifications and alarms sent from the system.  

At the end of the day, legacy systems are going to be an ever present issue for security management. With careful consideration and a few sensible precautions, they can continue ticking away in the heart of the enterprise without being an undue security hazard. Having said this, best practise is to keep also the manufacturing systems as updated as possible and design new systems to better stand the test of time.

For more information about Tieto Security Services, please download our whitepaper.


Stay up-to-date

Get all the latest blogs sent you now!