www.darkreading.com
Open in
urlscan Pro
2606:4700::6811:7663
Public Scan
URL:
https://www.darkreading.com/edge/why-legacy-system-users-prioritize-uptime-over-security
Submission: On June 26 via api from TR — Scanned from DE
Submission: On June 26 via api from TR — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* SecTor - Canada's IT Security Conference Oct 23-26 - Learn More
* Black Hat USA - August 5-10 - Learn More
Webinars
* Secrets to a Successful Managed Security Service Provider Relationship
Jun 27, 2023
* How to Use Threat Intelligence to Mitigate Third Party Risk
Jun 29, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Webinars >
Reports >
Slideshows >
White Papers >
Partner Perspectives: Microsoft
Tech Library >
Newsletter Sign-Up
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* SecTor - Canada's IT Security Conference Oct 23-26 - Learn More
* Black Hat USA - August 5-10 - Learn More
Webinars
* Secrets to a Successful Managed Security Service Provider Relationship
Jun 27, 2023
* How to Use Threat Intelligence to Mitigate Third Party Risk
Jun 29, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Webinars >
Reports >
Slideshows >
White Papers >
Partner Perspectives: Microsoft
Tech Library >
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches
Cloud
ICS/OT
Remote Workforce
Perimeter
Analytics
Security Monitoring
Security Monitoring
App Sec
Database Security
Database Security
Risk
Compliance
Compliance
Threat Intelligence
Endpoint
AuthenticationMobile SecurityPrivacy
AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management
Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People
Identity & Access ManagementCareers & People
Physical Security
IoT
DR Global
Middle East & Africa
Middle East & Africa
Black Hat news
Omdia Research
Events
Close
Back
Events
Events
* SecTor - Canada's IT Security Conference Oct 23-26 - Learn More
* Black Hat USA - August 5-10 - Learn More
Webinars
* Secrets to a Successful Managed Security Service Provider Relationship
Jun 27, 2023
* How to Use Threat Intelligence to Mitigate Third Party Risk
Jun 29, 2023
Resources
Close
Back
Resources
Dark Reading Library >
Webinars >
Reports >
Slideshows >
White Papers >
Partner Perspectives: Microsoft
Tech Library >
--------------------------------------------------------------------------------
Newsletter Sign-Up
SEARCH
A minimum of 3 characters are required to be typed in the search bar in order to
perform a search.
Announcements
1.
2.
3.
Event
How to Launch a Threat Hunting Program | Webinar <REGISTER>
Event
How to Accelerate XDR Outcomes: Bridging the Gap Between Network and Endpoint |
Webinar <REGISTER>
Report
Black Hat USA 2022 Attendee Report | Supply Chain & Cloud Security Risks Are Top
of Mind | <READ IT NOW>
PreviousNext
Cybersecurity In-Depth
Edge
6 MIN READ
The Edge
WHY LEGACY SYSTEM USERS PRIORITIZE UPTIME OVER SECURITY
For line-of-business execs, the fear of mission-critical systems grinding to a
halt overrides their cybersecurity concerns. How can CISOs overcome this?
Evan Schuman
Contributing Writer, Dark Reading
June 23, 2023
Source: Stock Connection Blue via Alamy Stock Photo
PDF
Dirk Hodgson, the director of cybersecurity for NTT Australia, tells a story. He
once worked with a company that did scientific measurements. The highly
specialized firm used highly specialized equipment, and one large piece of
equipment cost them $2 million when purchased years ago.
The hardware did not cause any issues, and the manufacturer routinely replaced
parts and performed maintenance, as per its contract. The security problem was
the operating system, which was Windows XP. The company went to the manufacturer
and asked if it could upgrade the OS to a more current and supported OS.
Not a problem, replied the manufacturer. The company merely had to buy a new
multimillion-dollar system, which came with a current OS. As for updating the OS
on the current machine? The manufacturer declined.
"That thousand-dollar upgrade would require a multimillion-dollar investment,"
Hodgson says. "Legacy software is definitely a big problem."
Indeed, security executives have been battling legacy systems for decades. And
with the threat landscape only increasing in complexity — tangled up in remote
workers, partners, Internet of Things (IoT), and cloud integrations — the fight
has become more intense. There are many technological ways to try to mitigate
the legacy threat — isolation, virtualization, replication in a sandbox, etc. —
but none of those deal with corporate politics and the fear of letting security
teams touch legacy systems at all.
UPTIME ISSUES TAKE PRIORITY FOR LINE-OF-BUSINESS
The issues with legacy systems fall into two distinct buckets: cybersecurity
issues and uptime issues. For the line-of-business (LOB) executive, the uptime
issue — the fear that touching anything in the legacy environment could cause
the system to crash — is far more frightening. And since these legacy systems
usually operate quite well day to day, the business executive sees zero reason
to toy with them.
LOB execs also often legitimately worry that they won't have the capabilities to
restore the system if it does crash. That's because the people who wrote the
code are long gone, the vendor that manufactured the hardware might be out of
business, and the software documentation is either nonexistent or woefully
inadequate.
Worst of all, legacy systems are often truly mission-critical, such as those
running assembly lines. If they were to crash, production could easily come to a
half for an indeterminate period. It could also trigger cascading failures
across connected systems.
"The big surprise about legacy systems is that since they have been around for
so long, almost everything else is connected to them," says Michael Smith, field
CTO at Vercara. "So you have this huge Gordian knot of dependencies that make it
nearly impossible to upgrade or decommission that legacy system, and you have to
do a lot of network and log analysis to understand what other systems are
connecting to them and when."
BUBBLE WRAP DOESN'T WORK FOR EVERYTHING
"Business executives are right to be cautious when allowing security teams to
touch mission-critical legacy systems," says Eoin Hinchy, founder and CEO of
Tines. "Security teams should instead focus on reducing the attack surface area
of legacy systems. In other words, wrap them in bubble wrap."
Although the bubble-wrap concept is a popular means of dealing with legacy
systems, it doesn't always work. And therein lies the real conundrum: Not only
does this effort still sometimes fail, but there is no reliable way of
predicting a failure.
"One of the challenges with legacy [systems] is that an accumulation of a
technical debt that amasses over time," says David Burg, cybersecurity leader
for Ernst & Young Americas. "When they were built, [developers] were working
with the institutional knowledge that existed at that time. The documentation of
architecture, interoperability, and dependencies and such were likely never
documented. People come and go."
Beyond the traditional security risks, NTT Australia's Hodgson points out that
system certification is another complicating factor. "A system is certified to a
particular level. If patched, there is a reasonable chance that it will work
fine, but you might lose that accreditation that you bought," he says.
And many of these specialized systems are physically difficult to replace, even
if the LOB chooses to do so. "Consider medical facilities installing MRI
machines. They have to be craned in. You have to install lead in the walls,"
Hodgson says. "You are going to be keeping that for a very long time."
WHAT CISOS WANT
This brings the debate to a conflict between ideal and practical. From the
board/CEO/CISO perspective, the ideal would be to replace all of the legacy
systems with modernized systems that can effortlessly support today's
cybersecurity and compliance requirements. But even if the enterprise is willing
to spend the money to make that switch, it may simply not be practical.
"For many legacy system applications, data access, calculation, and even
communications performance cannot be easily matched in a PC environment, if at
all," says Bob Hansmann, senior product marketing manager for security at
Infoblox. "The work to migrate/rewrite COBOL, Fortran, RPG II, and other
applications to PC platforms is mountainous and hard to cost-justify. And even
if the code is migrated, it needs to be heavily tested and modified for
performance — as in speed and accuracy — often due to how different PC hardware
is from mainframe and mini hardware."
The lack of actionable documentation is a critical factor in updating legacy
systems, but the problem is not limited to legacy. Today's developers — whether
it's a software vendor creating apps for wide distribution or an enterprise
developer creating homegrown software — still do not document code in any usable
way. Thus, the next generation of legacy systems may suffer from the same
problems.
BUILD DOCUMENTATION INTO FUTURE LEGACY
Ayman Al Issa, the industrial cybersecurity lead at McKinsey, labels the lack of
actionable documentation today "a major issue."
"We don't see good documentation at all," he says. "It's a cultural issue. They
don't see the value of documentation. This includes maintenance issues and any
change to the system. They are simply not documented. People are lazy about
documenting everything."
Al Issa suggests that companies need to create their own documentation based on
the teams managing the systems. But to avoid the single-point-of-failure
problem, "they need to do a rotation of duties so that there's not only one
person who can operate the systems," he says.
In theory, management should insist that development is properly documented, but
instead managers are pressured to deliver. Once the developer completes Project
A, do they insist that the developer spend a week documenting everything, or do
they tell the developer to move onto the next project, which is what the
developer wants to do anyway?
The only viable fix is to incorporate strong document requirements into the
DevSecOps process, Ernst & Young's Burg says. "We have to make this
contemporaneous documentation or it won't happen," he adds.
Edge Articles
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe
More Insights
White Papers
*
Invicti AppSec Indicator: Tuning Out the AppSec Noise is All About DAST
*
Welcome to Modern Web App Security
More White Papers
Webinars
*
Secrets to a Successful Managed Security Service Provider Relationship
*
How to Use Threat Intelligence to Mitigate Third Party Risk
More Webinars
Reports
*
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
*
Everything You Need to Know About DNS Attacks
More Reports
More Insights
White Papers
*
Invicti AppSec Indicator: Tuning Out the AppSec Noise is All About DAST
*
Welcome to Modern Web App Security
More White Papers
Webinars
*
Secrets to a Successful Managed Security Service Provider Relationship
*
How to Use Threat Intelligence to Mitigate Third Party Risk
More Webinars
Reports
*
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
*
Everything You Need to Know About DNS Attacks
More Reports
DISCOVER MORE FROM INFORMA TECH
* Interop
* InformationWeek
* Network Computing
* ITPro Today
* Data Center Knowledge
* Black Hat
* Omdia
WORKING WITH US
* About Us
* Advertise
* Reprints
FOLLOW DARK READING ON SOCIAL
*
*
*
*
*
*
* Home
* Cookies
* Privacy
* Terms
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.
Cookies Button
ABOUT COOKIES ON THIS SITE
We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. You can choose to accept all of these
cookies or only essential cookies. To learn more or manage your preferences,
click “Settings”. For further information about the data we collect from you,
please see our Privacy Policy
Accept All
Settings
COOKIE PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
Back Button
BACK
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Confirm My Choices