10 Things You Can Do to Enhance Security for Connected Legacy Systems
With increasing demands on OT/IT integration, data security is at the forefront of our concerns more than ever. In fact, according to an IDC survey, security is considered the top barrier to OT/IT integration. At the same time, it is also considered a top-five motivator, meaning enhanced OT security is one of the means to bring about successful OT/IT integration. However, when integrating OT and IT systems from traditionally closed to open data systems, unwanted access may be given to an organization’s private operation data.
“If we look closer to why security is the largest barrier, we will find that in the OT environment one of the top security concerns is maintaining legacy systems safely and reliably,” said Helen Chiang, general manager at IDC Taiwan, in the Security Talks Show. “On an OT site, you’ll find many legacy systems and applications. They are not only isolated but also agentless, meaning the asset has limited resources to run the security solution that we usually execute in an IT environment.”
To connect unconnected legacy systems, several steps can be taken to enhance connectivity security and reduce security concerns for your OT/IT integration projects.
# 1: Change default passwords for your networking devices
Because your legacy systems are connected through networking devices, the first thing you can do to enhance connectivity security is to replace default passwords. The security strength of default passwords is usually low and easy to find in a public user manual. Don’t take this risk when you can easily prevent it.
# 2: Disable unused yet connected ports and services
When you deploy a networking device, some unused ports or unnecessary services may open the door to cyberthreats in your application. You can disable these ports and services to block the available paths to unwanted access.
# 3: Verify firmware source before update
When your networking devices require firmware update, make sure you have a mechanism to verify the firmware source. Checking the CRC code is one way to ensure the firmware you are about to use comes from the original source. Another way to verify the firmware source is through secure boot design. It’s a feature that ensures the integrity of firmware running on your platform.
# 4: Use secure communication protocols
It’s important to use a secure protocol (i.e., TLS 1.2 support in HTTPS and SNMPv3) for your connected legacy systems. It can reduce the chances of unwanted access while you are managing networking devices, and it can enhance data integrity while you are transmitting data. Also, when you deploy your networking devices, disable unsecure protocols to minimize the chances of a manual error.
# 5: Only allow authorized users to access your devices and network
Prioritize your critical assets and validate network segmentation. Then, you will have a clearer picture about what authority can be granted to what specific segment. Furthermore, deploy trust-listing such as listing only permitted IP addresses to keep unwanted access out of your legacy systems. Other advanced functions are also available to limit unwanted access. For example, you can define a specific protocol format or command that can access your devices and network.
# 6: Encrypt critical data before transmissions
In OT environments, critical data leakage can cause operation downtime, thus impacting operational efficiency. For connected legacy systems, you can encrypt critical data during transmissions to enhance your data confidentiality and reduce the chances of negatively impacting your daily operation.
# 7: Constantly monitor if your networking devices are at your desired security level
When you get your legacy systems connected, you should define the security measures based on your application’s demands so that you can easily monitor and manage your networking devices. When the system networks are up and running, constantly monitor whether the security status of your devices meets the requirements you defined from the onset.
# 8: Periodically scan vulnerabilities for potential threats
It’s essential to know what potential threats your legacy systems are facing. Scheduling a vulnerability scan periodically gives you a better idea of the security status of the overall system, helping you to take necessary actions when needed.
# 9: Perform security patches for your networking devices to reduce vulnerabilities
We all know that security patching is important. However, it is not always so easy in field sites. From a business perspective, it can lead to tremendous costs when you pause operations to test and perform patches. On the other hand, risks and costs are also involved when you are doing nothing about it. A more sustainable approach is finding a balance midway by performing acceptable batches of security patching for critical field systems
# 10: Use virtual patching for known vulnerability of your legacy systems
In certain situations, security patching is not always an option. Furthermore, some legacy systems are not able to perform patching. For these type of situations, virtual patching is an efficient alternative. You can deploy the virtual patch in the network connected to your legacy systems to eliminate known vulnerabilities and protect the devices against certain exploits. Virtual patching is also a good way to reserve a buffer time while the system is waiting for the next maintenance period to get patched.
Take the above 10 tips into consideration when connecting your legacy systems—it can help you enhance connectivity security and minimize security threats to your legacy systems. Moxa provides a comprehensive security product portfolio for your edge connectivity security. Visit our website to learn more.
Looking for secure hardened edge connectivity solutions, visit here.
Looking for Industrial IPS solutions, visit here.
Nyheter från Cat AB
Tekniska problem med underkategorier
Tekniska problem med underkategorier på vår sajt. Efter ett serverbyte med uppdateringar så går det inte att nå vissa underkategorier,... Läs mer »Liten, pålitlig, snabb och ändå anpassad för industriers krav
Go Beyond the Limits With the EDS-2000/G2000-EL Series Industrial Unmanaged Switches, Minimal Size, Maximal Durability!Nästa Gen. USB till serieportar= Moxas UPort G2
UPort -G2 är Moxas nya USB till RS232/422/485 serieporthub och den är mindre, drar mindre ström och kan ändå hantera USB 3.2 om ni så behöver.Använd beprövad automationsutrustning i BESS
Moxa har beprövad utrustning för automationslösningar vilka med fördel kan användas för uppkoppling, drift och underhåll av batterilagersystem.- Läs merBättre nätverkskommunikation mellan sensorer och styrsystem
Moxas nya UC-2000A serier ger möjligheter att skapa bättre kommunikation i nätverken mellan sensorer och styrsystem. Datorerna har både LAN, WAN, ,serieportar och USB 2. Det går att montera in en modul för Wi-Fi och LTE uppkoppling.Pålitlig leverantör för transport av seriell data
Moxas fortsätter utveckla industrianpassade lösningar för att ansluta utrustning med seriell data. Behöver ni förbättra den operativa effektiviteten, säkerställa tillgängligheten eller matcha de framtida kraven på OT/IT-konvergens?35 års erfarenhet inom seriekommunikation!
Moxa är er pålitliga partner för anslutning av seriella enheter tillförlitlighet sedan 1987, det är en 35 årig meritlista som... Läs mer »Nya CANopen gateways perfekta för mikronät
Moxas CANopen Gateways är perfekta för systemintegratörer och nätägare som arbetar med att förbättra och bygga mikronät, de på engelska kallade "power microgrids". Låt oss presentera MGate 5123.Lilla biblioteket
I lilla biblioteket har vi börjat samla artiklar och publikationer som vi på Cat tycker är intressanta. Kom gärna med tips och idéerHär är W4, en uppgraderad NPort Wireless
Uppgraderad modell, anslut dina seriella enheter –såsom exempelvis PLC:er, mätare och sensorer– till ett trådlöst LAN. Ha koll på var de är och hur de mår samtidigt som du kan lägga till en del nya säkerhetsfunktioner såsom Secure Boot.