A new strategy for Legacy Risk is needed!


When you stay informed about new developments in Internet of Things and Industry 4.0, you might easily get the impression that factories are filled with the latest greatest in technology. A short factory tour in most production facilities will remind you immediately that the majority of the active machines and equipment are far from Industry 4.0 enabled. And when you understand the investments involved, you will also understand that they are here to stay for a long time. Build to last by companies that have worked hard to build the reputation that they build to last.

Equipment and infrastructure that was build and is maintained to last several decades is forming the core of the industrial capacity and critical infrastructure, and that will not change in the future. The brand new equipment in the green field factory being build right now, will also run for many years, even decades before it will be replaced. Just like that new transportation platform that will start next month. Build to last, high-tech today will soon be legacy and with the increasing pace of technology development, soon comes earlier than ever before.

And where does Cyber Security fit in this whole Industrial Legacy? Right in the middle of it! The installed legacy base was designed and constructed long before the current cyber threats were launched. Even some upgrades and first steps into connectivity were implemented without the exposure to cyber crime in mind because it wasn’t the problem it is now. The giants of the industry have of course developed cyber security solutions for their platforms and equipment, including the legacy.

And whatever the giants of the industry can’t fill, startups will fill with innovative Cyber Security solutions. Companies like a’svin – healing the IoT, just to name an example of how startups are filling the gaps with speed and innovative concepts. A’svin combines a solution for a growing critical pain point in Cyber Security (keeping Edge devices updated) with innovative technology. By creating blockchain based solutions to enforce secured updates on Internet of Things devices for a constantly growing base of vendors, they will offer solutions for what most operators of equipment and infrastructure will face in their facilities: many generations of technology from many different suppliers. Vendors facing the same challenges can join a growing platform to serve their customers.

Just like A’svin does with their solution platform, startups are excellent partners to deliver smart solution for pain points and Cyber Security solutions are no exception to that formula. There is an industry of its own in cyber security consulting firms. So the solutions are available and new solutions continue to come, that is not the challenge.  The available solutions are not installed throughout the industrial and infrastructure legacy installed base. That is the problem! Part of that problem is caused by the systems and controls being managed as part of the equipment and infrastructure they control.

Managing the controls and systems as part of the equipment and infrastructure has significant impact on Cyber Security. Even in the books, where in most cases depreciation is set at the life cycle and investment of the equipment. Still (too) many organizations leave the responsibilities over systems and controls in the otherwise qualified hands of the maintenance departments. Proper design and maintenance is no longer enough to protect those investments, Cyber Resilience is required and the demand will only increase over time. Cyber Security needs Cyber Security experts to protect those assets and investments against cyber threats! It is a matter of ROI protection to include Cyber Security expertise in the maintenance planning, in the budgets and in the strategies. Not just forward, this also needs to include the legacy in the field!

Some of these machines were build before you and I were born and in countries that no longer exist

Threats we must fence off today didn’t pose much of a risk a few months ago. The defense mechanisms we have today will not bring us much next year. We need to adapt constantly and most of us have started to understand that. Now we have to take it to the next level, we have to start looking at the industrial legacy and make sure we are able to adapt. To do so, we have to break through some barriers. Critical infrastructure and equipment is at stake here, we have to rethink and keep rethinking! That crucial rethinking can’t be done by the vendors alone. It will take strong collaboration between investors, owners, operators, educators, marketeers, developers, vendors, all stakeholders.

Cyber Security strategy for legacy RISK

Reputation, reliability, ROI, are all contributing to the success of the giants in the industry. Build to last, so you know the investment will pay off. If only there wasn’t the challenge of internet, the Internet of Things, connectivity, Industry 4.0, and all the cyber security risks and threats introduced by them. An industrial application commissioned a decade or longer ago, and designed to last at least another decade or even more, isn’t prepared for the current cyber threats. How could it be, when none of what exists today existed when it was designed? Not to mention the new threats that keep showing up on a daily basis.

Investing in cyber security is investment protection!

Picture courtesy of Amanda Scott/ Alias Studio Sydney

A new strategy is needed and it will take much more than smart marketing to get the message to the right audience. Reaching different decision makers, setting new priorities. Other decision makers and budget owners will have to be made aware that replacing or upgrading devices to be cyber resilient is a matter of investment protection. Regular penetration testing as maintenance strategy and not as yet another IT project. It is a different message for a different audience. The giants with the reputation of building to last will have to be very vocal about retrofitting their products. Others will be able to navigate into niches with special solutions for special problems.

In the next chapter of Back to the Future Cyber Security: Rethink and act, a strategic action plan for Cyber Security and the Industrial Legacy

Stay tuned for more chapters Back to the Future Cyber Security

See also:


1 thought on “A new strategy for Legacy Risk is needed!”

  1. Pingback: Back to the Future Cyber Security – Chapter 1: The Industrial Legacy – Dr. ir Johannes Drooghaag – Management Consultant

Comments are closed.