‘Legacy’ cyber risk: How to prepare OT for system updates

As ransomware and state-sponsored cyberattacks surge against critical infrastructure, OT environments are more at risk than ever. Threat actors are becoming increasingly sophisticated.

However, protecting OT environments requires contending with legacy hardware and software that is both vulnerable and difficult to manage and mitigate.

Legacy technology persists in OT environments. For example, even as IT and cybersecurity teams prepare to migrate to Windows 11, the reality is that some OT systems are still running Windows NT, which has not been supported since 2004.

See also: OT cybersecurity case study: Flaws found and fixed in widely used industrial network devices

When vulnerabilities are discovered in unsupported systems, there is no way to remediate them, leaving organizations open to exposure. Conficker, Stuxnet and WannaCry are all examples of cyberattacks that have targeted exposed industrial control systems.

When it comes to OT environments, performance is often prioritized over security. Patching and migration projects require testing and validation that are typically reserved for adding new functionality, not remediating vulnerabilities.

End-of-life software and hardware creates risks that cannot be remediated and imposes a big concern for operational resilience and business continuity.

Legacy systems need to be protected like crown jewels. The Purdue Model, which serves as the foundation of ISA/IEC 62443, provides a process to identify risks and mitigate vulnerabilities and exposures. By assessing assets for risks and continuously monitoring for threats, organizations can achieve preemptive protection.

A tale of two networks: IT versus OT

IT teams tend to upgrade or replace hardware and software every three to seven years. Vendors tend to support IT systems with consistent patches and upgrades over the course of these shorter lifecycles.

See also: Podcast: Why IT and OT remain out of sync and how manufacturers can bridge that gap

On the other hand, OT networks are practically institutions with device lifecycles of 10 to 30 years. One main reason for this is that ICS systems are expensive and replacing them can be disruptive. As such, organizations tend to operate them until they fail mechanically.

Whether feasible or not, most vendors will not support OT devices for more than 30 years, particularly if the underlying operating systems are no longer supported. Even when vendors do offer support, they often require a time-consuming and expensive recertification process.

When OT project timelines are measured in decades, this represents a major gap between the end of support and the migration to modern systems. If vulnerabilities cannot be remediated with patches, then they must be mitigated with compensating controls.

The Purdue Model

The Purdue Model is a reference architecture that enables organizations to identify risks in their OT environments, remediate vulnerabilities through patch management when possible, and mitigate exposures with compensating controls. It is so fundamental to OT security that it serves as the foundation of ISA/IEC 62445.

See also: Zero-trust cybersecurity for increasingly interconnected OT

The Purdue Model defines five hierarchical levels:

• Level 0-1: Physical devices and controllers
• Levels 2-3: Engineering, SCADA and other OT applications
• Level 4: Enterprise IT environments 

In the case of Windows, the risk of exposure is concentrated in the servers, endpoints and applications seen in Levels 2 and 3. IT/OT convergence has blurred the line with Level 4, introducing risks that were previously network isolated.

The end of Windows 10 support is the beginning of new risks

The end of Windows 10 support creates exposures that cannot be ignored. Even though Windows 10 is not omnipresent in OT environments, it is ubiquitous enough that it serves as a good example of how to apply some of the best practices from the Purdue Model.

Migration to Windows 11 is like patching vulnerabilities. For IT environments, the solution is straightforward: migrate to Windows 11 as soon as possible or mitigate the risk with Windows Extended Security Updates.

See also: Manufacturers struggle with outdated systems and short staff, but external IT can help

However, just as patch management is a complex process in OT environments, migration to Windows 11 is likewise complicated by legacy hardware and custom applications.

The first step is to gain visibility into all assets to identify which devices are running Windows 10, any dependencies they have, and their impact on the business.

Once an organization inventories its OT environment, it can assess its hardware and software compatibility. Some systems will not support upgrades, and some upgrades may require lengthy recertification processes. These systems will need to be mitigated with compensating controls.

Organizations will also need to validate custom applications, which often have hardcoded dependencies without any documentation. Using isolated testbeds with backups ensures rapid rollback if issues are discovered.

See also: Webinar replay: Cybersecurity Challenges, Brought to You by AI

Finally, organizations should plan staggered rollouts. Existing tools such as endpoint management can help phase migrations across business units, geographic locations or production cycles. Staggering these rollouts also minimizes the fallout of potential failures.

Of course, not every device will be able to support Windows 11. These systems require compensating controls: network segmentation, application whitelisting and continuous monitoring for behavioral anomalies.

While the end of support for Windows 10 is a soft deadline in OT security, it serves as a catalyst for examining lifecycle management for OT environments.

Visibility is not just the foundation of the Purdue Model; it is also the foundation for many common cybersecurity frameworks. Being able to gain visibility and control of all assets in real time enables preemptive protection against any exposure or threat.