Legacy Tech That Needs to Go
Legacy tech is still well entrenched in many industries. It can lead to business disruptions, cyberattacks or even public safety issues.
We’ve all heard the horror stories: Windows 7 in government, mission-critical mainframe systems that can’t be retired -- but for how many more decades? At some point, technology ages too much to be practical or even safe.
One example is the critical infrastructure industry. According to Erich Kron, security awareness advocate at KnowBe4, a platform that addresses the human part of cybersecurity, the legacy equipment used to manage power, water and other critical infrastructure services is old and can be difficult or cost-prohibitive to upgrade. While the equipment can be designed to last 20, 30, or even 50 years before having to be overhauled or replaced, the technology managing these systems quickly gets out of date.
“For critical systems, even upgrading some equipment can be challenging. Many of these systems are designed to failover, however if the redundant system is taken offline for an update or upgrade, the system is now at risk of a critical failure, so doing it can be a risk,” says Kron in an email interview. “Planning and testing for retrofitting and upgrading is a critical part of upgrading our critical infrastructure. Failure to plan and test thoroughly could leave a population without a critical service such as water or electricity for a long time."
Industrial control systems have long been an area of focus for cybersecurity vendors and consultants because, depending on their design and placement, they may be ripe for cyber or physical compromise.
"Instead of replacing everything, consideration should be given to how to protect what is in place. Isolating the control systems and their network and providing very limited access can go a long way toward securing systems,” says Kron. “Ensuring that cybersecurity experts are consulted when designing and changing system access methods, especially remote ones, and conducting penetration tests on a regular basis can help. By putting modern systems and security controls in front of the old ones, organizations have a better chance of keeping bad actors out of these antiquated systems.”
Organizations that have existed for many decades or more than a century can have systems in place that are so old that the programming languages or hardware has been forgotten by all but a few people. Documentation is often missing or so outdated it is almost useless.
“I know of one instance with medical equipment where a robotic arm used in testing was controlled by an old 386 computer,” says Kron. “When 486 computers were put in place, they discovered that the speed the arm moved was tied to the CPU clock in the code, so the new computers would cause the robotic arm to damage itself because it moved too quickly. This equipment was part of a previous acquisition and the people who wrote the code were long gone.”
Act Before a Crisis Occurs
Slav Kulik, CEO and co-founder of software development company Plan A Technologies, says his staff has seen some “pretty unbelievable” examples of legacy tech that should have been retired long ago.
“[N]othing lasts forever. Technology left alone will age to the point where it is no longer practical, much less reliable, or even safe,” says Kulik. “Initially, I think the neglect is easy to rationalize. There is only so much money and so much time. Updating software that, on the surface, seems to be running smoothly isn’t a particularly exciting initiative [so] tech becomes painfully out-of-date.”
As the delays continue, the risks rise. Still, if the software or hardware is still working, it’s still easy to fall victim to a false sense of security. Business owners and executives figure they can wait a bit longer to address the issue until the truth becomes too obvious to ignore.
“By then, data is often lost, systems crash, security breaches happen and all the other nasty things that every IT person dreads begin to come true,” says Kulik. “What’s disappointing about this is that those issues are usually preventable. It’s a little like feeling a strange pain but not going to the doctor to get it checked out. A little early prevention can often address what can otherwise become a life-threatening condition.”
To avoid that fate, he suggests IT departments do the following:
Know the legacy tech’s lifespan. If you don’t, you’re setting yourself up for an unpleasant surprise down the road.
Conduct a regular tech audit. Otherwise, risk staying in the dark.
Break the effort down into phases. The thought of doing a massive overhaul often sparks panic. But tackling the challenge in a staged approach allows for smaller steps that enable the organization to make steady progress at a manageable pace.
Heed the data. A data-driven approach can help prioritize what needs to be addressed, targeting where the modernization is most urgent. You may even uncover underutilized resources that serve as good news during what can be a highly trying time.
Stay informed about new trends and innovation. Some teams have no idea of what else is available. They continue to do things the way they did 25 years ago, missing countless opportunities for efficiency, security, scalability, cost reduction and other improvements.
Include end users. By actively getting feedback from end users, you can ensure you create what you need to create. This also helps you quickly flag any problems that may emerge during the modernization.
According to Kulik, “Make sure you never wind up with a culture where you only address these matters after a problem occurs. Instead, make sure you regularly ask, ‘What’s being done to update our legacy tech or at least make sure it’s still functioning properly?’ If no one knows the answer, be nervous, and if no one even knows how to find the answer, get help!”
Beware of Highly Specialized Systems
Cybersecurity and technology consultant Michael Hasse says the root cause of legacy system problems is typically highly specialized systems from third-party vendors. The problem is especially prevalent in the manufacturing sector, but also physical security, such as door controls, environmental systems like HVAC, industrial controls, and medical equipment.
In these industries, there are a few high-priced vendors that all-in-one solutions and a selection of lower-priced options that are adequate for the task at hand.
“The catch is that specialized systems have specialized development processes and, especially in the case of life safety, quite a few regulatory hoops to jump through before a product can be sold,” says Hasse. “The net result is that these vendors simply cannot keep pace with the rate of technology change. As such, they tend to ignore new developments until they are forced to, and then there may still be some years delay before a product can be deployed to their customers.”
Meanwhile, technology support teams are trying to deal with the situation as best they can, quite often choosing to isolate those systems completely, or if they must be connected for some reason, going to extreme measures to control the allowed connections.
“The great irony [is] that the cost of dealing with lower quality products later in their lifecycle is substantially higher than the savings derived from the original choice to use them. This is compounded when they are not dealt with at all, potentially leading to breaches and actual damage,” says Hasse. “In short, long-term support and security should be one of the most important considerations when selecting a vendor, with a closely critical eye towards their past track record in that regard.”
Bottom Line
It’s not uncommon for legacy tech to exceed vendor support. Similarly, proprietary legacy systems may suffer because the expertise that built them is no longer available, or the skills needed to work with them are few and far between. Though organizations have been building around and on top of these systems, such as to provide mobile access or more modern capabilities, the underlying tech won’t last forever.
The real questions are how long will the legacy tech last and how will the company that owns it achieve a smooth modernization path?
About the Author
You May Also Like