
10 Things You Can Do to Enhance Security for Connected Legacy Systems

With increasing demands on OT/IT integration, data security is at the forefront of our concerns more than ever. In fact, according to an IDC survey, security is considered the top barrier to OT/IT integration. At the same time, it is also considered a top-five motivator, meaning enhanced OT security is one of the means to bring about successful OT/IT integration. However, when integrating OT and IT systems from traditionally closed to open data systems, unwanted access may be given to an organization’s private operation data.

“If we look closer to why security is the largest barrier, we will find that in the OT environment one of the top security concerns is maintaining legacy systems safely and reliably,” said Helen Chiang, general manager at IDC Taiwan, in the Security Talks Show. “On an OT site, you’ll find many legacy systems and applications. They are not only isolated but also agentless, meaning the asset has limited resources to run the security solution that we usually execute in an IT environment.”

To connect unconnected legacy systems, several steps can be taken to enhance connectivity security and reduce security concerns for your OT/IT integration projects.
# 1: Change default passwords for your networking devices
Because your legacy systems are connected through networking devices, the first thing you can do to enhance connectivity security is to replace default passwords. The security strength of default passwords is usually low and easy to find in a public user manual. Don’t take this risk when you can easily prevent it.
# 2: Disable unused yet connected ports and services
When you deploy a networking device, some unused ports or unnecessary services may open the door to cyberthreats in your application. You can disable these ports and services to block the available paths to unwanted access.
# 3: Verify firmware source before update
When your networking devices require firmware update, make sure you have a mechanism to verify the firmware source. Checking the CRC code is one way to ensure the firmware you are about to use comes from the original source. Another way to verify the firmware source is through secure boot design. It’s a feature that ensures the integrity of firmware running on your platform.
# 4: Use secure communication protocols
It’s important to use a secure protocol (i.e., TLS 1.2 support in HTTPS and SNMPv3) for your connected legacy systems. It can reduce the chances of unwanted access while you are managing networking devices, and it can enhance data integrity while you are transmitting data. Also, when you deploy your networking devices, disable unsecure protocols to minimize the chances of a manual error.
# 5: Only allow authorized users to access your devices and network
Prioritize your critical assets and validate network segmentation. Then, you will have a clearer picture about what authority can be granted to what specific segment. Furthermore, deploy trust-listing such as listing only permitted IP addresses to keep unwanted access out of your legacy systems. Other advanced functions are also available to limit unwanted access. For example, you can define a specific protocol format or command that can access your devices and network.
# 6: Encrypt critical data before transmissions
In OT environments, critical data leakage can cause operation downtime, thus impacting operational efficiency. For connected legacy systems, you can encrypt critical data during transmissions to enhance your data confidentiality and reduce the chances of negatively impacting your daily operation.
# 7: Constantly monitor if your networking devices are at your desired security level
When you get your legacy systems connected, you should define the security measures based on your application’s demands so that you can easily monitor and manage your networking devices. When the system networks are up and running, constantly monitor whether the security status of your devices meets the requirements you defined from the onset.
# 8: Periodically scan vulnerabilities for potential threats
It’s essential to know what potential threats your legacy systems are facing. Scheduling a vulnerability scan periodically gives you a better idea of the security status of the overall system, helping you to take necessary actions when needed.
# 9: Perform security patches for your networking devices to reduce vulnerabilities
We all know that security patching is important. However, it is not always so easy in field sites. From a business perspective, it can lead to tremendous costs when you pause operations to test and perform patches. On the other hand, risks and costs are also involved when you are doing nothing about it. A more sustainable approach is finding a balance midway by performing acceptable batches of security patching for critical field systems
# 10: Use virtual patching for known vulnerability of your legacy systems
In certain situations, security patching is not always an option. Furthermore, some legacy systems are not able to perform patching. For these type of situations, virtual patching is an efficient alternative. You can deploy the virtual patch in the network connected to your legacy systems to eliminate known vulnerabilities and protect the devices against certain exploits. Virtual patching is also a good way to reserve a buffer time while the system is waiting for the next maintenance period to get patched.
Take the above 10 tips into consideration when connecting your legacy systems—it can help you enhance connectivity security and minimize security threats to your legacy systems. Moxa provides a comprehensive security product portfolio for your edge connectivity security. Visit our website to learn more.
Looking for secure hardened edge connectivity solutions, visit here.
Looking for Industrial IPS solutions, visit here.
Nyheter från Cat AB
Nya CANopen gateways perfekta för mikronät
NYHET! Moxas nya CANopen Gateways är perfekta för systemintegratörer och nätägare som arbetar med att förbättra och bygga mikronät, de på engelska kallade "power microgrids". Låt oss presentera MGate 5123.Lilla biblioteket
I lilla biblioteket har vi börjat samla artiklar och publikationer som vi på Cat tycker är intressanta. Kom gärna med tips och idéerÖppettider i sommar
Har Cat AB öppet i sommar? Javisst har vi öppet, om än med begränsad bemanning, speciellt under veckorna 29, 30 och 31.Här är W4, en uppgraderad NPort Wireless
Uppgraderad modell, anslut dina seriella enheter –såsom exempelvis PLC:er, mätare och sensorer– till ett trådlöst LAN. Ha koll på var de är och hur de mår samtidigt som du kan lägga till en del nya säkerhetsfunktioner såsom Secure Boot.Moxa Europe GmbH meddelar att EAC-certifikaten dras in
MEDDELANDE FRÅN VÅR LEVERANTÖR Då vi inte gör affärer med ryska företag och har ombetts, och själva valt, att inte... Läs mer »Liten, pålitlig, snabb och ändå anpassad för industriers krav
Go Beyond the Limits With the EDS-2000/G2000-EL Series Industrial Unmanaged Switches, Minimal Size, Maximal Durability!Öka hastigheten i dina nav med 3.2 hubbar
Moxas nya USB hubb är ett nav som kan skapa upp till 7 anslutningar och ge 5 Gbps på var port. Med extern strömförsörjning matar var port 900mA, industriklassad utrustning, läs mer om UPort 400A serien.Ny medarbetare
Välkommen Stefan Edlund, Business Development Manager på Cat AB!Senaste nyhetsbrevet från Cat AB
Nyheter och tips från Cat AB, så heter vårt nyhetsbrev som kommer ut 1-2ggr/ månad med någon extra utgåva när... Läs mer »NAT-102 Moxas nya adressöversättare med brandvägg
NYHET! NAT-102, Moxas industriella adressöversättare med brandvägg kan hjälpa er att få tillgång till fler IP-adresser via privat adressering, men de kan även användas för att skapa lika interna nätverk eller för att öka datasäkerheten.