Legacy systems have long been a headache for security executives, and as the threat landscape becomes more complex, the challenge of securing these systems only intensifies. Legacy systems refer to outdated hardware and software that is still in use because it is critical to business operations. These systems often present both cybersecurity and uptime issues, making them a particularly difficult problem to solve.
For line-of-business (LOB) executives, the fear of touching anything in the legacy environment is primarily driven by uptime concerns. These executives worry that making changes to the system could cause it to crash, resulting in costly downtime and potential production halts. Moreover, restoring these legacy systems can be a daunting task, as the personnel who originally developed them may no longer be available, hardware manufacturers might be out of business, and documentation is often lacking or insufficient.
One of the main challenges with legacy systems is their interconnectedness. Over the years, as newer technologies have been introduced, these systems have become entangled with a web of dependencies that make upgrading or decommissioning them incredibly complicated. According to Michael Smith, field CTO at Vercara, understanding the network and log analysis of these systems is crucial to identify their dependencies and ensure seamless integration with new technologies.
To address these concerns, security teams often recommend isolating legacy systems or wrapping them in metaphorical “bubble wrap” to reduce their attack surface area. However, this approach is not always foolproof, and failures can still occur, with no reliable way to predict them. Additionally, legacy systems have accumulated technical debt over time, lacking proper documentation and architectural knowledge. In many cases, the people who originally developed these systems have moved on, leaving organizations struggling with outdated knowledge and insufficient documentation.
Adding to the complexity of dealing with legacy systems is the issue of system certification. These systems often undergo rigorous certification processes, and any changes, including patches and updates, can jeopardize their accreditation. This concern poses a significant barrier to organizations considering upgrades or migrations to more modern systems.
Moreover, some legacy systems are physically difficult to replace, especially in sectors like healthcare where specialized equipment, such as MRI machines, requires extensive installation and infrastructure modifications. The costs and logistical challenges of replacing such systems often discourage organizations from pursuing upgrades, leading to prolonged reliance on legacy technology.
From the perspective of boards, CEOs, and chief information security officers (CISOs), the ideal solution would be to replace all legacy systems with modern alternatives that meet today’s cybersecurity and compliance requirements. However, the practicality of such an approach is often questionable. Migrating or rewriting legacy applications to modern platforms can be a monumental and cost-intensive task. Companies often find that the performance and capabilities of legacy systems cannot be easily matched in a PC environment, making the switch economically unviable.
Lack of actionable documentation further complicates the process of updating legacy systems. This issue is not limited to legacy technology, as current developers also often fail to document their code adequately. Ayman Al Issa, industrial cybersecurity lead at McKinsey, emphasizes the importance of documentation, highlighting a cultural issue where developers fail to recognize its value. He suggests that companies establish their own documentation based on the teams managing the systems while also implementing job rotations to avoid dependency on a single individual.
To address the ongoing lack of documentation, experts argue that strong document requirements should be integrated into the DevSecOps process. By making documentation a contemporaneous practice within development and security operations, organizations can ensure that future legacy systems are better equipped to handle upgrades and changes.
Ultimately, the challenge of securing legacy systems is a multifaceted problem that requires a combination of technological solutions and cultural shifts within organizations. As businesses navigate the complexities of digital transformation, finding effective strategies to mitigate the risks associated with legacy systems will continue to be a top priority for cybersecurity professionals.