Legacy Systems and Modern Threats in OT Environments
Henry Kogan
Training materials almost always assume you’re working in a modern OT environment where everything’s patchable and the engineering workstations are running current operating systems. The dream scenario where the protocols actually have authentication built in and the network equipment supports the kind of segmentation that actually means something is rare.
The reality is not all vendors are bothering to issue security updates for the products you’ve got in service. In a typical manufacturing or utility environment, a practitioner will find PLCs installed in the 1990s, HMIs running on Windows XP or Windows 7, proprietary protocols that predate the concept of an intrusion detection system, and network gear that was state of the art when the plant was commissioned and has not been replaced since.
This is not negligence. It is an outcome of economic efficiency and ensuring a stable work environment in regard to uptime. A PLC that has run reliably for twenty years is an asset, not a liability, from an operations perspective. When you replace it, this means downtime, revalidation, and risk to a tried and true process that is currently working. So the decision to leave it in place is often justified as rational.
The problem is that cybersecurity education almost never engages with this reality. Curricula describe how to patch systems, how to apply CIS benchmarks, how to enforce strong authentication, and how to monitor with modern EDR.
Most of those techniques are inapplicable or actively dangerous on equipment that was never designed to support them. A defender who has only been taught the modern playbook will arrive at a real plant and find that most of their tools do not work.
What NotPetya exposed
The June 2017 NotPetya attack is the clearest demonstration of what happens when legacy systems meet modern malware. NotPetya used the EternalBlue exploit, the same one used in WannaCry a month earlier, to propagate through Windows networks via the SMB protocol. The exploit targeted a vulnerability Microsoft had patched in March. Any organization running fully patched Windows systems was not affected by that propagation mechanism. The problem is that most OT environments were not running fully patched Windows systems, and many still are not.
Maersk lost roughly 49,000 endpoints and 4,000 servers. The company had to rebuild its entire global IT environment in ten days, and the recovery was possible only because an unrelated power outage in Ghana had left one domain controller offline during the attack. That domain controller, by chance, was the only clean copy of Active Directory the company could find. Merck lost approximately $870 million. FedEx’s TNT Express subsidiary lost approximately $400 million. Total global damages exceeded $10 billion. Most of those losses were in IT systems, but the OT impact was significant wherever operational equipment depended on IT infrastructure for scheduling, logistics, or supervisory control.
The important detail for OT practitioners is that NotPetya did not need to target control systems to disrupt operations. It simply encrypted the IT substrate that operations depended on. Plants that had claimed to be air-gapped discovered that their historians, engineering workstations, or scheduling systems had a Windows share open to the corporate network, and that one share was enough to take the operation offline.
What legacy education should actually cover
The core techniques for defending legacy OT are not the same as the techniques for defending modern IT. They tend to be more architectural and less technical. Compensating controls matter more than patching, because patching is often impossible.
Network segmentation and strict traffic filtering matter more than endpoint protection, because endpoint protection cannot be installed on the endpoints. Asset inventory matters more than vulnerability scanning, because scanning a twenty-year-old PLC can crash it. Manual procedures and trained operators matter more than automated response, because automated response tools rarely understand the process context.
A practitioner who understands this can walk into a plant with XP-era HMIs and design a defensible architecture around them. A practitioner who has only been trained on modern tools will often recommend upgrades that the business cannot afford and will not approve, and will leave the plant no better defended than it was before the assessment.
Training built for the plants that actually exist
This is where CyberEd.io diverges from most OT cybersecurity programs. Our ICS/OT courses are built around the environments practitioners actually inherit, with case-study instruction and simulation exercises that include the XP-era HMI, the unpatchable PLC, and the proprietary protocol with no authentication. Learners work through scenarios modeled on NotPetya-style IT-to-OT cascade events, practicing the trade-off analysis between compensating controls and upgrade risk, and coming out with the judgment to recommend defensive changes that operations will actually approve.
Education that engages with legacy reality is harder to build, but it is the only kind of education that produces practitioners who can defend a plant as it is, rather than as the reference architecture wishes it were. The next post looks at one of the most common answers in the reference architecture, network segmentation, and why it so often fails to deliver the protection its diagrams promise.
Learn more about OT security program with CyberEd.io today.
References: Wired, The Untold Story of NotPetya (Andy Greenberg, 2018); CISA, Petya Ransomware Alert TA17-181A; Merck 10-K filing (2017); Maersk interim financial report (Q2 2017); Mondelez v. Zurich litigation filings.