Securing Legacy Control Systems

This is a guest article written by Ben Daniels of Nutmeg Technologies. The author’s views are entirely his own and may not reflect the views of IT Governance.

IT security threats have dominated industry news over the past few years. It seems like every month there is a new data breach or a major company finds out its systems were compromised. However, one area that doesn’t get as much publicity is legacy control systems. This is a security concern specific to the manufacturing sector, and if you are running outdated control systems and manufacturing equipment, this issue should be on your list of items to address.

According to a study by MAPI and Deloitte, manufacturing businesses are far more likely to be the target of IP theft and corporate espionage, especially if they create niche or premier products. This means that security for IT and control systems should be a high priority to ensure that company secrets aren’t lost to competitors or the black market, where they can be purchased by people looking to create cheaper alternatives or knock-off goods.

The legacy risk

In an increasingly cost-conscious industry that relies more and more on automation, legacy systems are a reality that must be addressed. It can be a costly proposition for a company to either replace or heavily upgrade their legacy systems. In addition to cost, there is the consideration of downtime if the manufacturing floor is a 24/7 operation. When machines go down, it means products are not getting out to customers. However, it’s extremely important for businesses to understand the risks of not addressing their legacy systems, especially if they are connected to internal networks or the Internet.

Many of these systems were designed and installed before widespread adoption of the Internet, and the concept of IT and data security wasn’t even a consideration when they were engineered. This means they run proprietary or legacy operating systems and network drivers, and often on old versions of Windows, which is well known for having more exploits than any other family of operating systems.

You may be wondering “If it’s not connected to the Internet, what is there to worry about?” But the same 2014 study showed that, among manufacturers interviewed, their main concern and culprit of theft was employees. Employees have direct physical access to these systems and intimate knowledge of how they work. All it takes is attaching a USB key or transferring data to a disk to have a portable copy of proprietary designs or business processes.


It’s not all bad news. There are definitely solutions to the problem, but they may take some proactive strategizing and change management.

If a control system or HMI is running an ancient (pre-1990s) OS that is either proprietary or non-Windows based, then the best solution is most likely to ensure it’s completely isolated. If it’s totally disconnected from any networks, then it can be physically secured (locks on the hardware and ports) to minimize the risk of employees capturing information from it.

If the controller is operating on a Windows-based OS, which many started doing in the 1990s (usually Windows NT), then you’ve got a different set of issues. Not only should the device be physically secured, but you’ve got an operating system that has been LONG out of support. The best choice may be to ensure it has every update possible, and make sure to protect any information it passes on your internal network using private IP ranges and other protection measures. If you cannot secure the device, you can hopefully secure the channels it uses to communicate. If possible, these devices could also be disconnected and use some sort of physical medium (USB key, etc.) to transfer data internally, although this is the least elegant or efficient solution.

Another strategy would be to work with a VAR or a managed service provider to evaluate your system and write some custom code to rectify potential exploits or vulnerabilities. This is a costlier solution, but will likely be less than total replacement or upgrade of the equipment, and likely incur less down time. This particular solution would be easier to employ if the system is running on a Windows-based operating system simply because it’s the industry standard and there are likely more vendors and resources available for a task like this.


The products and processes at the heart of any manufacturing business come together out on the floor, so it only makes sense that the equipment driving that manufacturing floor needs to be protected from threats. If you are running legacy systems and controllers as part of your production workflow and supply chains, it’s critical you make the time to review potential security vulnerabilities and address them to the best extent possible.

Manufacturing organizations can benefit from implementing ISO 27001, which sets out the requirements for a risk-based ISMS (information security management system) that addresses data security across the enterprise and throughout the supply chain.

As well as improving your cybersecurity, the external validation offered by ISO 27001 certification is likely to increase your organization’s business efficiency while providing a higher level of confidence to customers and stakeholders.

IT Governance has been helping organizations of all sizes around the world implement ISO 27001 for well over a decade. Whatever you want to know, and whatever resources you need, we’re your single source for everything to do with ISO 27001 – from the Standard itself to books, documentation toolkits, training courses, consultancy, and software to help you implement an ISMS.

Starting at just $482, our ISO 27001 Packaged Solutions combine all of these resources in fixed-price packages to suit all needs.

You can find more free information about ISO 27001 here >>