Home / Royal Mail / Five ways to protect critical infrastructure ops that run on legacy IT

Five ways to protect critical infrastructure ops that run on legacy IT

COMMENTARY: The term “legacy IT” might evoke an image of dusty servers and obsolete software quietly churning away in the corner of a data center. But in reality, these systems often sit at the heart of critical operations for hospitals, banks, manufacturing plants, and many government agencies.

The problem? They’ve become a hacker’s dream.

Legacy systems are the Achilles’ heel of modern cybersecurity strategies. They operate on borrowed time, often running outdated software and hardware long past their intended life span. Despite this, businesses across sectors continue to rely on them, sometimes by necessity, but often out of reluctance to invest in replacements. Unfortunately, this approach proves costly as attackers increasingly exploit the known vulnerabilities inherent in these outdated systems.

The wake-up calls we can’t ignore

In the last year alone, there have been stark reminders of the risks unpatched legacy systems pose. Consider the case of Royal Mail, the UK’s postal service, which suffered a major ransomware attack in early 2023. The attackers exploited an unpatched vulnerability in legacy IT systems, halting international deliveries for weeks. The financial and reputational impact of the breach was significant, but it wasn’t a standalone incident.

The healthcare sector has been particularly hard-hit. A breach in 2023 involving a major U.S. hospital chain exposed how outdated medical devices, running on unsupported operating systems, were exploited to gain access to sensitive patient data. These medical devices, such as imaging and diagnostic systems, often cannot be patched because of regulatory restrictions or compatibility concerns. The result? A treasure trove of vulnerabilities ripe for exploitation.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

Meanwhile, the critical infrastructure sector has seen its share of alarm bells. In mid-2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory warning operators of industrial control systems (ICS) about vulnerabilities in legacy equipment used in energy and water utilities. The potential for cascading disruptions to essential services underscored how outdated systems remain central to many operations – and their risks.

Why we keep kicking the can down the road

Why do so many organizations let these vulnerabilities persist? The answers aren’t always about negligence or complacency. There are genuine challenges to addressing the problem. They include the following:

The stakes get higher

This isn’t just a theoretical discussion. The threats to legacy systems are real, growing, and increasingly costly.

The ransomware group LockBit has made waves in the past year by targeting organizations running outdated software, knowing that these entities are less likely to have robust defenses or quick recovery mechanisms. Their strategy is simple: exploit known vulnerabilities in legacy systems, encrypt critical data, and demand exorbitant ransoms. For businesses caught off-guard, the choice often boils down to paying up or losing everything.

It’s not just ransomware. State-sponsored actors are also in the mix. A recent report from Microsoft’s Threat Intelligence Center highlighted how a Chinese APT group leveraged vulnerabilities in outdated servers to conduct espionage campaigns targeting Western defense contractors. The reliance on legacy systems by some of these contractors left gaping holes in their networks, allowing attackers to siphon sensitive data undetected for months.

The hard truth: legacy systems aren’t going anywhere overnight. But that doesn’t mean organizations can afford to stay passive. There are actionable steps that, while not perfect, can significantly reduce the risks:

Organizations aren’t the only ones at fault here. Vendors that design critical systems without long-term security considerations bear some responsibility. The medical devices compromised in recent attacks often cannot get patched because the vendors designed them to rely on fixed configurations. Regulators and industry groups need to push vendors to adopt better practices, including built-in update mechanisms and longer-term support commitments.

Governments can also play a role. Incentives, whether in the form of grants, tax breaks, or subsidies, could help organizations in resource-constrained sectors afford the costs of upgrading legacy systems. Public-private partnerships, such as those championed by CISA in the U.S., can also drive awareness and collaboration to address systemic vulnerabilities.

We live in an era where cybersecurity threats are relentless, sophisticated, and often devastating. The persistence of legacy IT systems in critical operations has become more than just a technical debt issue: it’s a strategic vulnerability. For organizations, it’s a clear message: the cost of maintaining outdated systems far exceeds the investment needed to secure or replace them.

Recent incidents underscore the urgency of addressing the vulnerabilities in legacy IT systems. Attackers have demonstrated their ability to exploit these weaknesses effectively, causing significant operational, financial, and reputational harm. Businesses, vendors, and governments must move beyond incremental fixes and prioritize comprehensive strategies to mitigate these risks. Delaying action only increases the eventual cost, measured in monetary terms and also in the resilience and security of critical infrastructure and operations.

Callie Guenther, senior manager, cyber threat research, Critical Start

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.


Source link

About admin

Check Also

Britain’s longest-serving postie reveals weirdest Christmas presents he’s delivered | News UK

Robert ‘Rocky’ Hudson began work at the age of 16 (Picture: Royal Mail) Britain’s longest-serving …

Leave a Reply

Your email address will not be published. Required fields are marked *