News & Insights
Building cybersecurity: identifying vulnerabilities in legacy systems
This article highlights a proactive approach to building cybersecurity with practical advice on how to get it done.
Despite growth in new commercial buildings, new construction still represents a smaller portion of the overall building stock, with the average age of commercial buildings in the US being around 50 years old. Most facility and IT managers are dealing with a mix of various legacy building systems.
Legacy systems are those that have been in use for a long time, often beyond their original intended lifespan. They may be based on outdated technologies, have poor documentation, lack security updates, or have dependencies on other obsolete systems. These factors make legacy building systems vulnerable to various types of cyberattacks, such as data breaches, denial-of-service, ransomware, or malware infections.
Identifying cybersecurity vulnerabilities in legacy building systems is a challenging task, as they may not be compatible with modern security tools, standards, or protocols. Moreover, legacy building systems may have a large and complex codebase, with many hidden or unknown flaws, requiring a systematic and proactive approach to assess the security posture of legacy systems and mitigate the risks associated with them.
Take a systematic approach to vulnerability assessment in legacy building systems
The following are some of the best practices for identifying cybersecurity vulnerabilities in legacy building systems along with practical advice for how to get it done:
Inventory and prioritize legacy building systems
The first step is to create a comprehensive inventory of all the legacy systems in the building, including their hardware, software, network, and data components. This will help to identify the scope and scale of the problem, as well as the potential impact of a security breach. Based on the inventory, legacy building systems should be prioritized according to their criticality, exposure, and functionality. High-priority systems should be assessed and secured first, while low-priority systems should be considered for decommissioning or replacement.
How to get it done: Use legacy system scanners. Legacy system scanners are tools that can scan and identify legacy systems on a network, and provide information about their vulnerabilities, patches, configurations, and dependencies. Legacy system scanners can help organizations assess the risk level and exposure of their legacy systems and prioritize remediation actions. Some examples of legacy system scanners are Nmap, Qualys, Rapid7, and Tenable.
Perform vulnerability scans and penetration tests
The next step is to use automated and manual tools to scan and test legacy systems for known and unknown vulnerabilities. Vulnerability scans can help to detect common or outdated flaws, such as missing patches, misconfigurations, or weak passwords. Penetration tests can help to simulate real-world attacks and exploit a building’s vulnerabilities to gain access, escalate privileges, or compromise data. The results of the scans and tests should be documented and analyzed to determine the severity and likelihood of the vulnerabilities.
How to get it done: Schedule regular scans using tools like Nessus or OpenVAS and hire or train a team for periodic penetration testing to uncover deeper issues.
Apply patches and hardening measures
The third step is to apply patches and hardening measures to fix or reduce the vulnerabilities in legacy systems. Patches are software updates that address specific bugs or flaws in the system. Hardening measures are configuration changes that enhance the security of the system, such as disabling unnecessary services, enforcing strong authentication, or encrypting data. Patches and hardening measures should be applied in a timely and consistent manner, following a change management process and a backup plan.
How to get it done: Establish a patch management schedule and utilize configuration management tools to enforce and monitor hardening measures across all systems.
Monitor and audit legacy building systems
The fourth step is to monitor and audit legacy building systems for any signs of abnormal or malicious activity, such as unauthorized access, data leakage, or system degradation. Monitoring and auditing tools can help to collect and analyze logs, alerts, and metrics from legacy building systems, and generate reports and dashboards that provide visibility and insight into the system’s performance and security. Monitoring and auditing can also help to verify the effectiveness of the patches and hardening measures and identify any new or emerging vulnerabilities.
How to get it done: Implement SIEM (Security Information and Event Management) systems like Splunk or IBM QRadar to continuously monitor and analyze system activity and set up regular audit routines.
Plan for migration or retirement
The final step is to plan for migration or retirement of legacy building systems, as they may not be able to meet the current and future security requirements and expectations. Migration is the process of moving legacy systems to newer or more secure platforms, such as cloud, virtualization, or containerization. Retirement is the process of decommissioning or disposing of legacy systems that are no longer needed or supported. Migration and retirement should be done in a phased and controlled manner, ensuring that the functionality, data, and security of the legacy systems are preserved or transferred.
How to get it done: Develop a detailed migration or retirement plan with timelines, milestones, and responsible personnel, ensuring thorough testing and validation at each stage to prevent disruptions.
Mitigation tactics: strengthen the building’s security posture
Some immediate steps that organizations can take to mitigate cyber risks in their building’s legacy systems are:
Proactively search out patches and updates
One of the main reasons why legacy building systems are vulnerable is that they are no longer supported by the vendors or developers, which means that they do not receive regular security updates or patches. Despite this, patches or updates may still be available from third-party vendors, open-source communities, or internal IT teams. While most organizations know they should identify and apply any available patches or updates for their legacy systems, many don’t have a mechanism for proactively seeking them out when they aren’t automated.
Process improvement: Apply virtual patching. Virtual patching is a technique that applies security policies or rules to a network device or an application firewall, rather than modifying the code or configuration of a legacy system. Virtual patching can help organizations address vulnerabilities in legacy systems that cannot be patched due to technical or operational constraints, or when patches are not available from vendors. Virtual patching can also reduce the time and cost of patching and minimize the impact on system performance and availability.
Implement compensating controls
Compensating controls are measures that reduce the risk of a legacy system by adding layers of protection or detection around it. For example, organizations can use firewalls, encryption, authentication, monitoring, logging, or segmentation to isolate or protect their legacy systems from unauthorized access or malicious attacks. Compensating controls can also help organizations comply with regulatory or industry standards that may not be met by the legacy systems themselves.
Process improvement: Develop a formalized process for regularly reviewing and updating compensating controls. This should include periodic risk assessments, routine updates to control measures based on the latest security standards, and continuous training for staff to ensure they are aware of and can effectively implement these controls.
Replace or retire obsolete systems
Ultimately, the best way to mitigate cyber risks in legacy systems is to replace or retire them with newer, more secure, and more efficient systems. Organizations should plan and execute a migration strategy that minimizes disruption and ensures data integrity and continuity. Organizations should also dispose of their legacy systems securely, following best practices for data sanitization and hardware destruction.
Process improvement: Develop a modernization roadmap. A modernization roadmap is a strategic plan that outlines the goals, objectives, scope, timeline, budget, and risks of modernizing or replacing legacy systems. A modernization roadmap can help organizations align their modernization efforts with their business needs and priorities, and ensure stakeholder buy-in and support. A modernization roadmap should also include a clear evaluation criteria and metrics to measure the success and outcomes of the modernization project.
Adopt a phased approach to modernization
When the backlog of legacy systems seems daunting, it’s easy to fall into a “squeaky wheel” approach, addressing issues only as they become critical. However, adopting a phased approach can help organizations reduce the complexity and risk of modernization while achieving quick wins and gathering valuable feedback along the way. This method also enables organizations to balance the operational continuity of legacy systems with the deployment of new systems, minimizing disruption and downtime.
Process improvement: Choose a phased approach based on your context. Examples of phased approaches include agile, iterative, and incremental methods. Evaluate the specific needs and constraints of your organization to select the most appropriate method.
How Salas O’Brien can help
Vulnerabilities in legacy building systems pose a significant security risk to an organization’s assets, reputation, and operations. Both identifying vulnerabilities and mitigating them can create headaches for facility and IT managers. Salas O’Brien can provide comprehensive solutions to address these challenges
1.Expert assessment and consultation
Salas O’Brien offers thorough assessments of your legacy building systems to identify vulnerabilities and prioritize risks. Our team of experts uses advanced tools and methodologies to conduct detailed vulnerability scans, penetration tests, and risk assessments.
2. Customized mitigation strategies
We develop tailored mitigation strategies based on your specific needs. Our approach includes implementing compensating controls, applying necessary patches and updates, and suggesting phased modernization plans to ensure the security and efficiency of your systems.
3. Phased modernization planning
Understanding the complexities of transitioning from legacy systems, Salas O’Brien helps you adopt a phased approach to modernization. Our team works with you to design and execute a step-by-step plan that minimizes disruption, ensures data integrity, and maintains operational continuity.
Ongoing commissioning services
Salas O’Brien provides ongoing commissioning services to ensure your systems remain secure and compliant. We offer tools and services for regular auditing, real-time monitoring, and incident response, helping you stay ahead of potential threats.
For media inquiries on this article, reach out to Stacy Lake, Director of Corporate Communications
Dan Vogt, MBA, TEC
Dan Vogt has over 30 years’ experience working in Information Technology (IT), mostly in top IT leadership positions for international companies with multiple lines of business. His experience is diverse and includes various industries, acquisitions & mergers, compliance, security, data centers, and creation of proprietary, innovative software and hardware. Dan stays abreast of trends and security practices within the IT field through participation in regional, national, and international associations. Dan serves as Chief Information Officer at Salas O’Brien. Contact him at [email protected].