What are Legacy Systems?
Legacy systems are outdated but still operational IT or OT systems that often perform critical functions within industrial environments. They run on older hardware or software platforms and are frequently incompatible with modern security standards or protocols.
In OT environments, legacy systems are common and may continue to operate for decades, often without updates or vendor support.
🧠 Characteristics of Legacy Systems
- Older platform
- Windows XP/7, DOS, VMS, OS/2, old Linux distributions
- Outdated PLC firmware, SCADA systems or HMIs
- Limited support
- No patches, updates or vendor support
- Risks when hardware fails or networks change
- Incompatibility with modern technology
- No support for encryption, authentication, patch management
- Incompatible with modern protocols (e.g. only Modbus RTU)
- Critical function
- Often controls essential processes that are difficult to migrate
🏭 Legacy Systems in OT networks
- SCADA or DCS dating from the 1990s or 2000s
- PLCs or HMIs that operate only via serial connection (RS-232, RS-485)
- Machines with vendor lock-in or custom firmware
- Integrated within the Purdue Model (levels 1–2), often without network protection
Legacy systems are typically business-critical and cannot easily be replaced because of cost, dependencies or production downtime.
🔍 Legacy vs. Modern Systems
| Aspect | Legacy systems | Modern systems |
|---|---|---|
| Security | Very limited or absent | Built-in Access Control, TLS, etc. |
| Support | Often expired | Regular updates and support |
| Network protocols | Serial, proprietary | Ethernet, OPC UA, MQTT |
| Maintenance | Complex, manual | Remote management, OTA updates |
🔐 Security measures for Legacy Systems
- Segmentation via Firewall, VLAN or the zone-and-conduits model
- Use of Jump Server or Bastion Host for access
- Whitelisting and Application Control to block unwanted software
- Monitoring via IDS, SIEM or anomaly detection
- Immutable Backup or snapshot technology where patching is not an option
- Document vulnerabilities in the risk register
Migration is often desirable but, where it is not possible, mitigations are essential.
📌 In summary
Legacy systems are outdated but functional systems that often support critical processes in OT. Owing to their lack of modern security, they require specific mitigation strategies to keep risk under control.