Is a reliance on legacy systems exposing ICS to new risks?

Technology refresh and obsolescence is all part of the product lifecycle. In the design phase, assets are planned to be replaced at a determined point in time, often without the forethought of how that will be implemented in the future. The truth is, you can’t fully plan for that eventuality, it’s a future project and possibly someone else’s problem to solve.

Operational Technology (OT) installations have a longer life expectancy that those in the IT world, this brings additional challenges for maintenance, interoperability and security. While many OT vendors provide extended support for their hardware and software, the operating systems which they operate upon may fall out of support, which creates a dilemma. Does end of support mean end of life?

We saw the effect that maintaining legacy systems has on security with the WannaCry outbreak in May 2017. Embedded devices such as MRI scanners were running Windows XP, an operating system which had been retired 3 years earlier, however the asset were still active and serviceable. This led them to being more susceptible to being exploited by the attack.

Looking 6 months ahead, on the 14th January 2020 Windows 7 and Server 2008R2 will also become a legacy operating system just like XP. If you’ve been unable to retire XP out of your infrastructure by now, there is little chance you’ll have the time to replace Windows 7 and 2008R2.

How do you identify your legacy assets?

We have previously discussed the importance of a security posture assessment (SPA) and how this is a powerful tool to identify your assets, risks and vulnerability exposure. SPA provides a snapshot in time, with detailed threat and vulnerability information, along with prioritised security insights and recommended mitigation steps. Understanding where you need to focus your efforts is a strategic use of time and resource and will deliver you the largest return on investment.

Detecting the ongoing risk

Legacy systems will always be an easier target for adversaries to exploit. If replacement is not an option, or the timing is simply out, the best approach is to monitor for changes, so you can investigate incidents and respond as required.

Claroty’s Continuous Threat Detection (CTD) is a solution that is designed for OT networks. It fully understands ICS network communications, protocols and behaviours providing detailed, accurate and relevant information that is always up to date. CTD automatically discovers asset across the entire industrial network, including those that are nested in a PLC backplane.

This visibility goes far beyond simple asset identification, discovering details about each ICS asset and recognising OT commands over industrial protocols. Unlike IT monitoring solutions, CTD can differentiate between good, bad and out of character behaviours specific to your own OT environment using advanced machine learning.

Looking ahead

Claroty introduced some exiting features in CTD version 3.x released in December 2018, these include:

  • Active Scanning – Precise, periodic queries of OT and IT assets. While CDT is still a passive solution, data enrichment components collect additional data from switches, PC’s and PLC using trusted and safe methods like SNMP, WMI and OT specific queries that would be common in your OT environment.
  • AppDB – Where assets cannot be seen or are offline, PLC/RTU projects and other configuration files and binaries can be uploaded to enrich your assets inventory.
  • Virtual Zones – CTD automatically creates virtual network segments and network map to accelerate physical segmentation projects and interfaces into 3rd party security products.

Linking CTD into a wider technology ecosystem – SIEM, endpoint protection, Cisco ISE and next generation firewalls, rules and actions can be activated or enforced to ensure your process will operate as designed while blocking actions that may cause downtime.

Protecting the weak and vulnerable

Claroty CTD constantly monitors your network, identifying assets, matching known behaviours, actions and operational settings that have been learnt over time. Having a deep understanding of your processes creates a high-fidelity baseline of your operation. When the balance shifts to unknown, anomalous or know threat actions, these deviations can transform into actions.

Extreme visibility provides an operational data baseline, machine learning provides the intelligence to highlight or make decisions based on risk actions against the industrial process. If anomalous activity is detected automatic rules can be activated to ensure that ‘known good behaviour’ is always permitted to take place between trusted assets while creating a new rule set to block or limit the source of the threat, effectively preventing the disruption of critical operations.

SolutionsPT have over 30 years combined Industrial IT experience with in depth knowledge of OT architectures. We take a long-term management view to ensure assets are sufficiently protected throughout their full lifecycle. We look to bridge the gap between end of support and end of life, using tried and tested monitoring and security products that provide early warnings and protection whatever the age of the asset.


If you would like to take a closer look at the Claroty platform, why not take a look at my 3 minutes of Claroty video or get in touch for a full demonstration.