With increasing demand to integrate Operational Technology and Information Technology (OT/IT), data security is at the forefront of concerns. In fact, according to an IDC survey, security is regarded as the number one barrier to OT/IT integration today.
When integrating OT and IT systems from traditionally closed to open data systems, problems arise when unwanted access is given to an organization’s private operation data.
To safely integrate unconnected legacy systems, apply these 10 tips to reduce network security concerns.
Tip 1: Change Default Passwords for Networking Devices
Because legacy systems are connected through networking devices, the first thing to do is replace default passwords. The security strength of default passwords is usually low and easy to find in a public user manual. Don’t take this risk when you can easily prevent it.
Tip 2: Disable Unused Yet Connected Ports and Services
When deploying a networking device, some unused ports or unnecessary services may open the door to cyberthreats in an application. Disable these ports and services to block the available paths to unwanted access.
Tip 3: Verify Firmware Source Before Update
When networking devices require a firmware update, make sure there is a mechanism to verify the firmware source. Checking the CRC code is one way to ensure the firmware comes from the original source.
Another way to verify the firmware source is through a secure boot design. It’s a feature that ensures the integrity of firmware running on a platform.
Tip 4: Use Secure Communication Protocols
It’s important to use a secure protocol (i.e., TLS 1.2 support in HTTPS and SNMPv3) for connected legacy systems. It can reduce the chances of unwanted access while managing networking devices, and it can enhance data integrity while transmitting data. Also, when deploying networking devices, disable unsecure protocols to minimize the chances of a manual error.
Tip 5: Only Allow Authorized Users to Access Devices and Network
Prioritize critical assets and validate network segmentation so there is a clearer picture of what authority can be granted to what specific segment.
Furthermore, deploy trust-listing, such as listing only permitted IP addresses, to keep unwanted access out of legacy systems.
Other advanced functions are also available to limit unwanted access. For example, define a specific protocol format or command that can access devices and networks.
Tip 6: Encrypt Critical Data Before Transmissions
In OT environments, critical data leakage can cause operation downtime, thus impacting operational efficiency. For connected legacy systems, encrypt critical data during transmissions to enhance data confidentiality and reduce the chances of negatively impacting daily operations.
Tip 7: Constantly Monitor if Networking Devices Are at the Desired Security Level
When the legacy systems are connected, define the security measures based on the application’s demands so that networking devices can easily be monitored and managed. When the system networks are up and running, constantly monitor whether the security status of devices meets the requirements defined from the onset.
Tip 8: Periodically Scan Vulnerabilities for Potential Threats
It’s essential to know what potential threats legacy systems are facing. Scheduling a vulnerability scan periodically gives a better idea of the security status of the overall system, helping users take necessary actions when needed.
Tip 9: Perform Security Patches for Networking Devices To Reduce Vulnerabilities
We all know that security patching is important. However, it's not always easy in field sites. From a business perspective, it can lead to tremendous costs when operations are paused to test and perform patches.
On the other hand, risks and costs are also involved by doing nothing about it. A more sustainable approach is finding a balance midway by performing acceptable batches of security patching for critical field systems.
Tip 10: Use Virtual Patching for Known Vulnerability of Legacy Systems
In certain situations, security patching is not an option. Furthermore, some legacy systems are not able to perform patching. For these types of situations, virtual patching is an efficient alternative.
Deploy the virtual patch in the network connected to legacy systems to eliminate known vulnerabilities and protect the devices against certain exploits. Virtual patching is also a good way to reserve a buffer time while the system is waiting for the next maintenance period to get patched.