Moxa Inc.
Apr 20. 2021

10 Things You Can Do to Enhance Security for Connected Legacy Systems

With increasing demands on OT/IT integration, data security is at the forefront of our concerns more than ever. In fact, according to an IDC survey, security is considered the top barrier to OT/IT integration. At the same time, it is also considered a top-five motivator, meaning enhanced OT security is one of the means to bring about successful OT/IT integration. However, when integrating OT and IT systems from traditionally closed to open data systems, unwanted access may be given to an organization’s private operation data.

Top barrier an dmotivators to IT/OT integration by IDC i a report aug.2020

“If we look closer to why security is the largest barrier, we will find that in the OT environment one of the top security concerns is maintaining legacy systems safely and reliably,” said Helen Chiang, general manager at IDC Taiwan, in the Security Talks Show. “On an OT site, you’ll find many legacy systems and applications. They are not only isolated but also agentless, meaning the asset has limited resources to run the security solution that we usually execute in an IT environment.”

Top 5 securityconcerns in OT Enviroment according to IDC, aug 2020

To connect unconnected legacy systems, several steps can be taken to enhance connectivity security and reduce security concerns for your OT/IT integration projects.

# 1: Change default passwords for your networking devices

Because your legacy systems are connected through networking devices, the first thing you can do to enhance connectivity security is to replace default passwords. The security strength of default passwords is usually low and easy to find in a public user manual. Don’t take this risk when you can easily prevent it.

# 2: Disable unused yet connected ports and services

When you deploy a networking device, some unused ports or unnecessary services may open the door to cyberthreats in your application. You can disable these ports and services to block the available paths to unwanted access.

# 3: Verify firmware source before update

When your networking devices require firmware update, make sure you have a mechanism to verify the firmware source. Checking the CRC code is one way to ensure the firmware you are about to use comes from the original source. Another way to verify the firmware source is through secure boot design. It’s a feature that ensures the integrity of firmware running on your platform.

# 4: Use secure communication protocols

It’s important to use a secure protocol (i.e., TLS 1.2 support in HTTPS and SNMPv3) for your connected legacy systems. It can reduce the chances of unwanted access while you are managing networking devices, and it can enhance data integrity while you are transmitting data. Also, when you deploy your networking devices, disable unsecure protocols to minimize the chances of a manual error.

# 5: Only allow authorized users to access your devices and network

Prioritize your critical assets and validate network segmentation. Then, you will have a clearer picture about what authority can be granted to what specific segment. Furthermore, deploy trust-listing such as listing only permitted IP addresses to keep unwanted access out of your legacy systems. Other advanced functions are also available to limit unwanted access. For example, you can define a specific protocol format or command that can access your devices and network.

# 6: Encrypt critical data before transmissions

In OT environments, critical data leakage can cause operation downtime, thus impacting operational efficiency. For connected legacy systems, you can encrypt critical data during transmissions to enhance your data confidentiality and reduce the chances of negatively impacting your daily operation.

# 7: Constantly monitor if your networking devices are at your desired security level

When you get your legacy systems connected, you should define the security measures based on your application’s demands so that you can easily monitor and manage your networking devices. When the system networks are up and running, constantly monitor whether the security status of your devices meets the requirements you defined from the onset.

# 8: Periodically scan vulnerabilities for potential threats

It’s essential to know what potential threats your legacy systems are facing. Scheduling a vulnerability scan periodically gives you a better idea of the security status of the overall system, helping you to take necessary actions when needed.

# 9: Perform security patches for your networking devices to reduce vulnerabilities

We all know that security patching is important. However, it is not always so easy in field sites. From a business perspective, it can lead to tremendous costs when you pause operations to test and perform patches. On the other hand, risks and costs are also involved when you are doing nothing about it. A more sustainable approach is finding a balance midway by performing acceptable batches of security patching for critical field systems

# 10: Use virtual patching for known vulnerability of your legacy systems

In certain situations, security patching is not always an option. Furthermore, some legacy systems are not able to perform patching. For these type of situations, virtual patching is an efficient alternative. You can deploy the virtual patch in the network connected to your legacy systems to eliminate known vulnerabilities and protect the devices against certain exploits. Virtual patching is also a good way to reserve a buffer time while the system is waiting for the next maintenance period to get patched.

Take the above 10 tips into consideration when connecting your legacy systems—it can help you enhance connectivity security and minimize security threats to your legacy systems. Moxa provides a comprehensive security product portfolio for your edge connectivity security. Visit our website to learn more.

Looking for secure hardened edge connectivity solutions, visit here.
Looking for Industrial IPS solutions, visit here.

Nyheter från Cat AB

  • Midsommar

    Nu firar vi midsommar i solens sken. Kontoret öppnar den 27 juni kl 09:00. Trevlig helg önskar vi er alla
  • Senaste nyhetsbrevet från Cat AB

    Nyheter och tips från Cat AB, så heter vårt nyhetsbrev som kommer ut 1-2ggr/ månad med någon extra utgåva om... Läs mer »
  • NAT-102 Moxas nya adressöversättare med brandvägg

    NYHET! NAT-102, Moxas industriella adressöversättare med brandvägg kan hjälpa er att få tillgång till fler IP-adresser via privat adressering, men de kan även användas för att skapa lika interna nätverk eller för att öka datasäkerheten.
  • Moxas svar ang. sårbarheter och Realtek AP-Router SDK

    Moxa svarar på sårbarhet funna i Realtek SDK där många hundra tusentals enheter världen över kan ha drabbats, Moxa har i dags dato (2 december 2021) ej funnit att sårbarheten kan användas i Moxas befintliga sortiment eller i produkter vilka omfattas av garantitid.
  • Moxas svar angående sårbarhet och InterNiche Stack (INFRA:HALT)

    Ett antal sårbarheter(14) har hittats i flera HCC Embedded’s InterNiche stack (NicheStack) samt i NicheLite. Ingen av Moxas produkter i sortimentet eller med giltig garantitid anses påverkade vid dags dato (2 dec. 21).
  • Nya avsnitt Security Talks

    Security talks med Moxas Jesse och Thomas Burk, Mitsubishi Electric Automation (tidigare chef för OPC Foundation). Hör med om säkerhet, få koll på nya förkortningar och lär av erfarenheter inom cybersecurity.
  • Lilla biblioteket

    I lilla biblioteket har vi börjat samla artiklar och publikationer som vi på Cat tycker är intressanta. Kom gärna med tips och idéer
  • Ny manual_ Moxa SW License Portal

    Ny manual för Moxas licensportal
  • Bygg första linjens nätverksskydd med Moxas nya EDR-, en ”All-in-One”

    Bygg första linjes nätverksskydd direkt framför er utrustning eller nät. EDR-G9010 innehåller förutom funktion industriellt anpassad brandvägg, en router, en switch, möjlighet till att skapa VPN-tunnel, utföra virtuell patchning och hantering via NAT.
  • Uppgraderad hårdvara på flera av Moxas produkter

    Flera av Moxas produkter uppgraderas hårdvarumässigt, samtliga bakåtkompatibla och utan att påverka existerande programvara. -gäller bland andra NPort 5400, Uport... Läs mer »