Legacy SCADA Security: Expert Strategies to Protect Vulnerable Systems from Cyber Threats
Key Highlights
- Legacy SCADA systems lack encrypted communications, role-based access controls and modern security patches, making them highly susceptible to cyberattacks despite still being widely used.
- Network segmentation, passive monitoring tools and multi-factor authentication at the network layer provide effective compensating controls when immediate system upgrades aren't feasible.
- With manufacturing facing a 300+% increase in attacks since 2020, organizations should prioritize securing systems based on risk assessments that evaluate criticality, potential impact and exploitability.
Supervisory control and data acquisition (SCADA) systems emerged, as we would recognize them today, in the 1970s to monitor real-time data and control processes while storing data for analysis. Since then, they’ve become critical tools in automation and control applications across the discrete manufacturing and processing industries.
SCADA systems were among the first digital tools for industrial control. Combining network communications, hardware and software considered state-of-the-art at that time, early SCADA systems significantly improved production efficiency — and many of these systems are still in use. Today, however, these legacy SCADA systems are highly susceptible to cybersecurity threats as they were not designed for the levels of internet connectivity now common in industry.
To help manufacturers assess the security vulnerabilities in their existing SCADA systems and develop effective strategies to thwart security breaches, Automation World (AW) asked Alberto Rivi (AR), QA team leader at Emerson; Noel Henderson (NH), technical sales consultant for Schneider Electric; and Michael Metzler (MM), vice president horizontal management cybersecurity for Siemens Digital Industries to share their insights on this topic.
AW: What are the most common vulnerabilities encountered in legacy SCADA systems?
MM: Legacy SCADA systems face vulnerabilities from their original design for isolated environments. Prevalent issues include lack of encrypted communications, role-based access controls and comprehensive audit trails. Legacy systems also lack interfaces to modern IT security solutions and cannot receive regular security patches.
AR: Many organizations still rely on legacy SCADA systems due to high replacement costs, which exposes them to significant risks and vulnerabilities, like outdated software and operating systems, weak or default authentication mechanisms, insecure communication protocols, supply chain and vendor-related risks, and a lack of network segmentation. Despite these risks, many legacy SCADA setups still connect to corporate IT networks or the internet for remote monitoring, creating lateral movement paths for malware.
NH: Legacy SCADA systems are a challenge because security technologies change quickly. Systems running versions of unsupported software are problematic. If security updates are no longer available, vulnerabilities are inevitable.
Network isolation provides fundamental protection through proper segmentation aligned with IEC 62443. And encrypted communications should use network-level encryption through VPN mechanisms providing authentication, encryption and integrity protection.
AW: How can organizations assess the security posture of a legacy SCADA system that can't be immediately upgraded?
MM: Organizations should begin with risk analysis that provides transparency on current security status and identifies gaps. Security assessments define steps needed to align with IEC 62443 or NIST directives, while scanning services detect vulnerabilities against defined security levels.
NH: Start with an inventory. It’s not uncommon for these SCADA systems to have been implemented 10 to15 years ago. Over that time, management teams changed, additional elements have been added, and people may have been granted access who no longer need it. Knowing where data is and who has access to it is fundamental to a security posture.
AR: To assess the security status of legacy SCADA systems, organizations can adopt two effective, low-risk approaches. One, passive network discovery and mapping whereby teams start with non-intrusive tools such as passive OT network scanners to map assets, protocols and traffic flow without inserting probes. Second, engage certified third-party experts for gap analysis. Many organizations focus specifically on OT tasks and partner with an expert automation solutions provider to develop a cybersecure posture across OT and IT. Such a partner can perform a full assessment based on IEC 62443 certification.
AW: What network segmentation strategies work best for systems lacking integral security features?
NH: Isolating a legacy SCADA system to its subnet allows enterprises to maintain access for external parties. Adding a one-way data diode will keep others from writing to the system while allowing data transmissions upstream. Implementing TLS communications also ensures only parties with proper certificates have access to the isolated network.
MM: Network segmentation creates protective layers through a defense-in-depth strategy based on IEC 62443. A fundamental approach establishes dedicated OT networks separated from corporate IT through industrial firewalls with strict rules. Implementing perimeter networks between SCADA networks and external connections provides additional protection. This allows data from internal networks to be provided externally without granting direct access to automation networks. Single production cells should be segmented by firewalls with communication between cells controlled through VLANs.
AR: No bolt-on solution or architecture is likely to adequately protect legacy systems against a determined attacker. However, as organizations transition their systems to modern SCADA systems, they can lay the foundation for a properly segmented network by following some key strategies, like creating a buffered demilitarized zone between IT and OT for data sharing and using managed industrial switches with port-level ACLs (access control lists), private VLANs (virtual local area networks) or SDN (software defined network) overlays to subdivide the traditional flat OT network into small zones and segment it below the IP (internet protocol) layer, thereby grouping devices with similar risk levels.
It’s not uncommon for SCADA systems to have been implemented 10 to 15 years ago. Over that time, management teams changed, additional elements have been added, and people may have been granted access who no longer need it.
AW: What are the most effective approaches for implementing multi-factor authentication when legacy systems don't natively support it?
MM: For legacy systems lacking native multi-factor authentication (MFA), organizations can implement authentication at the network access layer. For example, deploying routers and security appliances that support user-specific firewall rules linking access rights to specific users who can log on to web interfaces with credentials to temporarily unlock specific firewall rules matched to their access rights. This ensures clear records of who accessed the system and when.
AW: What are key indicators of compromise that organizations should watch for?
AR: Unexpected protocol traffic or anomalous commands, unusual network connections and/or port scans, and failed logins or authentication anomalies. Check for unusual protocol queries and monitor logs to identify brute force attempts on default credentials or MFA bypasses via vendor backdoors.
MM: Changes to system configurations, user accounts or access permissions without change-management documentation indicate potential malicious activity. Unexpected process changes such as modifications to setpoints, control logic or operational parameters represent serious indicators.
AW: When patching isn't feasible, what compensating controls provide the most protection?
MM: Organizations must implement layered compensating controls based on defense-in-depth principles. Network isolation provides fundamental protection through proper segmentation aligned with IEC 62443. And encrypted communications should use network-level encryption through VPN (virtual private network) mechanisms providing authentication, encryption and integrity protection. Implementing intrusion detection and prevention systems designed for OT environments help identify and block malicious activity. In scenarios where legacy systems need to connect to cloud environments, remote sites or even across network segments, communication can be established using zero trust principles.
Many organizations still rely on legacy SCADA systems due to high replacement costs, which exposes them to significant risks and vulnerabilities, like outdated software and operating systems, weak or default authentication mechanisms, insecure communication protocols, supply chain and vendor-related risks, and a lack of network segmentation.
AR: The best strategy to develop a cybersecure architecture is to address technical and business culture limitations that prevent development of a successful patching and updating strategies. As teams develop those tools, many implement compensating controls. Some include network segmentation and zoning that isolates OT segments using VLANs or micro-segmentation to limit lateral movement; continuous OT monitoring and anomaly detection via the implementation of passive sensors for real-time visibility into traffic and behaviors; and backup and recovery planning. In a cybersecurity breach, reliable backups will be critical to reducing downtime.
AW: How should organizations prioritize which legacy SCADA systems to secure first when resources are limited?
MM: Prioritize based on systematic risk assessment considering potential impact and likelihood of compromise. A viable approach emphasizes risk-based prioritization where factors such as system criticality, exploitability and potential production impacts must be incorporated. This evaluation must consider industrial environment requirements, following the confidentiality, integrity, availability principle.
AR: It is critical to focus on the systems with the greatest risk first. Create a comprehensive asset of all SCADA components including information on age, physical location, support status and dependencies. Next, conduct a risk assessment using a simple matrix, for example, “likelihood times impact.” Partnering with an expert automation solutions provider can provide a significant advantage.
AW: How can organizations plan security improvements that align with system upgrades?
MM: Develop phased security improvement roadmaps for immediate risk reduction. Prepare for modernization, starting with implementing network segmentation and access controls aligned with IEC 62443. Establish comprehensive monitoring and logging to provide visibility while creating data sources modern systems leverage more effectively.
AW: Do threat landscapes differ between industries using legacy SCADA systems?
MM: Landscapes vary based on attacker motivations, system criticality and regulatory environments. Manufacturing consistently ranks among the most targeted sectors with attacks on industrial targets rising over 300% since 2020. Manufacturing encounters threats ranging from IP (intellectual property) theft to ransomware.
AR: Landscapes change depending on the sector. Electricity and oil and gas are the most dangerous sectors. A successful intrusion can cause massive blackouts and energy shortages. But vulnerability can exist anywhere.
More SCADA insights from Automation World:
About the Author
Mat Dirjish, contributing writer
Mat Dirjish has years of tech reporting experience at B2B technology publications such as Electronic Products Magazine, EE Product News, Electronic Design, Sensors Online & Sensors Expo, and Sensors Daily. He's been a regular contributor to Automation World since 2023.
