The popular \u201cif it ain\u2019t broke, don\u2019t fix it\u201d principle has reigned supreme in the computing world since the year dot. However, it has become an unaffordable luxury. The proliferation of cyberattacks \u2014 including on scientific and medical organizations \u2014 presents both IT and infosec services with a real dilemma. To protect critical hardware against attacks, its software must be updated. After all, outdated software means easy-to-exploit vulnerabilities, primitive or non-existent encryption, and rudimentary access control \u2014 every cybercriminal\u2019s dream. But updating this software often entails major outlays, plus risks playing havoc with business processes. Is it really that complicated, and, either way, how can the issue be solved?<\/p>\n
Many systems have been running smoothly for years \u2014 sometimes decades. They\u2019re not updated because their business owners worry that updates may disrupt the systems irrecoverably. Such fears are not unfounded. The people who installed and initially set systems up may be long retired, and the documentation might be lost or never existed at all. Sometimes this manifests itself in extreme forms; for example, the U.S. Internal Revenue Service still uses 1970s computers and programs in the near-dead COBOL language<\/a>. Maybe the hardware supplier was sold or taken over, closed the business, or went bust. That, too, is nothing unusual: this year ATM giant Diebold Nixdorf<\/a> filed for bankruptcy.<\/p>\n In all such cases, there\u2019s no tech support to call should an update go awry.<\/p>\n Moreover, long-serving hardware forms connections with other company systems, and these interconnections can be obscured and\/or poorly documented. As a consequence, a system shutdown could cause cascading failures or malfunctions in other systems that are hard to anticipate and prevent. Recovering from such an incident could take days or weeks, and the downtime cost could be huge.<\/p>\n Even if the system isn\u2019t too interconnected and is well documented, updating can still be out of the question due to the exorbitant costs involved. For example, the need to decommission a legacy operating system in an MRI machine may require the purchase of a new device. The cost (around half a million dollars) is very high in itself. But the problem isn\u2019t limited to the price tag of the scanner. Its installation requires a crane, and maybe the dismantlement of part of the wall, and the walls of the room would have to be shielded with a Faraday cage. Thus, that\u2019s no longer an IT upgrade but a major construction project. If the system is deeply entwined with legacy equipment and equally obsolete software, replacing the hardware would require recoding or buying new software, which can be another lengthy and expensive project.<\/p>\n Just as expensive vintage cars are kept in a garage, and valuable paintings in a special atmosphere-controlled container, so too do systems that are neither replaceable nor fully upgradeable require a special approach to maintenance. Every possible measure must be taken to reduce the attack surface. Below is a short list of possible compensatory measures to protect legacy IT systems:<\/p>\n Network segmentation. <\/strong>Segregating vulnerable legacy equipment into a separate network segment will help minimize the risk of cyberattacks. You should strive for a high degree of isolation \u2014 up to and including physical separation of the network and switching equipment. If this isn\u2019t realistic, be sure to regularly check that firewalls and routers are configured to maintain proper isolation from the \u201cnormal\u201d network. It\u2019s also important to track commonplace violations of regulations by employees \u2014 such as accessing both an isolated and shared network through different network interfaces from one computer.<\/p>\n Encryption.<\/strong> For systems that exchange information with other computers using outdated protocols, it\u2019s recommended to create VPN-tunnels based on the latest encryption and authentication algorithms. Data exchange outside the tunnel should be blocked.<\/p>\n Upgrades.<\/strong> Even if an upgrade to a modern system is out of the question, this doesn\u2019t mean you can\u2019t install any updates at all. A step-by-step upgrade to the latest available versions of core software and regular database updates for installed protection systems<\/a> will be preferable to mothballing.<\/p>\n Micro-segmentation of processes.<\/strong> If a business process on a legacy system allows fragmentation, it\u2019s a good idea to leave on it only those parts of the process that cannot possibly be transferred to newer equipment. Transferring even part of the workload to a modern upgradeable platform will make it easier to protect what\u2019s left. For example, MRI images cannot be taken outside the scanner, but they can be uploaded to the clinic\u2019s server, viewed and analyzed on newer computers.<\/p>\nRestrictive upgrade costs<\/h2>\n
Compensatory measures<\/h2>\n