• Home
  • Cybersecurity Articles

Protecting Unpatchable OT Assets: Securing Legacy PLCs and Control Systems

Legacy PLCs and RTUs cannot be patched but run critical operations. Discover layered compensating controls that protect inherently vulnerable industrial assets from modern threats.

Cybersecurity Matters

Protecting Unpatchable OT Assets: Securing Legacy PLCs and Control Systems

The Unpatchable Core: When Your Most Critical Assets Are Your Most Vulnerable

That PLC controlling your safety system was designed before cybersecurity threats existed. It cannot be updated, cannot run antivirus, and represents your greatest unaddressed risk.

At the heart of every mature industrial operation lies this paradox: the most reliable, critical systems are often the most vulnerable. Decades-old PLCs, RTUs, and DCS controllers were engineered for 20-year service lives in an era of physical isolation. They lack modern security features, and attempting firmware updates often risks catastrophic operational failure. The traditional IT security model of "patch and protect" collapses when facing these industrial realities.

Cybersecurity Matters

The Anatomy of an Unpatchable Asset

Consider the Siemens S7-300 PLC - millions remain in service worldwide, many running critical processes. When researchers disclosed vulnerabilities in the S7-300 communication stack, the remediation path was clear: update the firmware. But for operators of chemical plants and water treatment facilities, this "solution" was often worse than the vulnerability. The update process itself risked controller failure, configuration loss, or unexpected behaviour that could trigger production shutdowns or safety events.

This scenario repeats across every industrial sector. The fundamental challenges are baked into the hardware:

Architectural Immutability
Legacy controllers lack the processing overhead for encryption, secure boot, or behavioral monitoring. Their real-time operating systems prioritize determinism over security, leaving no capacity for additional security functions.
Update Roulette
Even when patches exist, the risk of applying them often outweighs the benefit. A failed update can mean days of production downtime, while a successful one might introduce new compatibility issues with existing control logic.
Vulnerability Proliferation
The NIST National Vulnerability Database shows a 150% increase in ICS-specific CVEs over the past three years. Many affect equipment still in widespread use, creating a growing gap between known vulnerabilities and feasible remediation.

The Strategic Shift: From Changing Assets to Changing Environments

The breakthrough comes from abandoning the impossible goal of securing the device itself and focusing instead on securing everything around it. This environmental approach recognizes that while you can't modify the PLC, you can absolutely control who talks to it, how they communicate, and what commands they're allowed to send.

This represents a fundamental mindset shift from IT-centric thinking to OT-aware security. Instead of trying to make vulnerable devices secure, we make their environment so controlled that threats cannot reach them.

The Three Layers of Compensating Controls

Effective protection for unpatchable assets requires a defense-in-depth strategy that operates at multiple levels simultaneously:

1. Virtual Patching: Blocking Exploits Before They Arrive
Virtual patching uses OT-aware firewalls to intercept and inspect traffic destined for vulnerable systems. When a known exploit attempt is detected - such as a malformed packet targeting a specific firmware vulnerability - the firewall blocks it before it reaches the target device.
Think of virtual patching as installing a security filter upstream of your vulnerable assets. It doesn't change the device's inherent vulnerability, but it prevents that vulnerability from being exploited. This approach is particularly valuable for legacy systems where the window between vulnerability disclosure and exploit attempt can be measured in days, while the operational window for applying physical patches might be measured in years.
2. Strict Network Containment: Controlling Communication Paths
This is where your segmentation strategy delivers concrete protection for vulnerable assets. By enforcing microsegmentation rules, you ensure that legacy devices can only communicate with explicitly authorized partners.
A 15-year-old HMI might need to read data from specific PLCs but should never be able to communicate with engineering workstations. A legacy controller might need to exchange data with its I/O modules but should never receive connections from the corporate network. Network containment turns your segmentation architecture into a protective cage for vulnerable assets.
3. Protocol Monitoring: Detecting Malicious Commands
The most sophisticated attacks don't use known exploits - they use legitimate protocol commands for malicious purposes. An attacker who gains network access might send a "stop" command to a critical motor or modify a temperature setpoint to dangerous levels.
Protocol-aware monitoring analyzes the content of industrial communications, not just their source and destination. By understanding what constitutes normal behavior for each device, these systems can detect and alert on anomalous commands - like a write command to a critical register from an unauthorized IP address, or a sequence of operations that violates process logic.

Building Your Legacy Asset Protection Program

Cybersecurity Matters

Implementing effective compensating controls requires more than just deploying technology. The most successful programs follow a structured approach:

1. Risk-Based Prioritization
Not all unpatchable assets deserve equal protection. Focus your efforts on systems where compromise would cause safety incidents, environmental damage, extended downtime, or quality problems. A risk matrix that considers both vulnerability severity and operational criticality ensures resources are allocated where they matter most.
2. Communication Path Analysis
Understanding normal communication patterns is prerequisite to controlling them. This requires detailed documentation of which devices need to talk to each other, using which protocols, and for what purpose. This analysis often reveals unnecessary connections that can be eliminated, reducing the attack surface.
3. Defense in Depth Integration
Compensating controls work best when they work together. A virtual patch might block known exploits, while protocol monitoring detects zero-day attacks. Network containment limits the exposure, while session logging provides forensic capabilities. The layers should reinforce each other, creating a security fabric that's greater than the sum of its parts.

The Operational Reality Check

The theoretical elegance of compensating controls must survive contact with operational realities. Three considerations often determine success or failure:

Performance Impact Assessment
Every additional security control introduces some latency. The key is understanding what's acceptable for each process. A safety system might tolerate microseconds of delay, while a batch process might handle milliseconds. The control strategy must match the operational tolerance.
Availability Requirements
Compensating controls must not become single points of failure. Deploying redundant security appliances, configuring bypass capabilities for maintenance, and ensuring fail-safe behaviors are essential for maintaining operational reliability.
Lifecycle Management
The systems protecting your legacy assets have their own lifecycle requirements. Firmware updates, rulebase maintenance, and monitoring system health become ongoing responsibilities. The protection system itself must be maintainable.

One power generation facility demonstrated the power of this approach when they discovered a critical vulnerability in controllers managing their turbine systems. Rather than attempting a risky plant-wide firmware update, they deployed virtual patching at key network boundaries. The entire implementation was completed during normal operations, with zero downtime and comprehensive protection against the specific exploit.

Answering - Some Frequently Asked Questions

Q1: How do we handle assets so old that the manufacturer no longer exists and vulnerabilities are unknown?

This is where the principle of "assume compromise" becomes valuable. For truly orphaned assets, focus on extreme network containment and behavioral monitoring. Limit communications to the absolute minimum required for operation, and monitor for any deviation from established communication patterns. The goal shifts from preventing specific known attacks to detecting any anomalous behavior that might indicate compromise.

Q2: Don't these compensating controls just create a false sense of security since the underlying vulnerability remains?

This misunderstands the nature of security risk. Risk is a combination of vulnerability and threat. Compensating controls don't eliminate the vulnerability, but they dramatically reduce the threat by making exploitation exponentially more difficult. A vulnerability that cannot be reached or exploited might as well not exist from a risk perspective.

Q3: How do we justify the cost of implementing multiple layers of protection for equipment that's nearing end-of-life?

Frame the investment in terms of operational risk rather than asset value. The question isn't "How much is this old PLC worth?" but "What would it cost if this PLC were compromised?" The business case should focus on preventing production downtime, safety incidents, or environmental consequences - costs that often dwarf the investment in protective controls.

Q4: What happens when we need to perform legitimate maintenance that requires broader access?

Temporary access controls should be part of your design. Modern security systems allow for time-bound policy exceptions that grant maintenance teams the access they need for specific windows, then automatically restore stricter controls. This approach maintains security while enabling necessary operational activities..

Q5: How do we manage the complexity of multiple security controls across different types of legacy systems?

A centralized management platform is essential for visibility and control. The goal should be a single pane of glass that shows security policies across virtual patching, network segmentation, and protocol monitoring. This unified view makes it possible to maintain consistency and identify gaps in your protective coverage.

Q6: Are there any legacy systems so vulnerable that they should be immediately replaced regardless of cost?

Yes - when the operational risk exceeds acceptable thresholds. Systems with vulnerabilities that could lead to life-threatening situations, environmental catastrophe, or business-ending downtime may require immediate replacement despite the cost. The decision should be based on a rigorous risk assessment that considers both likelihood and impact of compromise.

From Vulnerable to Protected - Without Touching the Asset

The inability to patch critical systems doesn't mean you must accept their vulnerabilities. The technologies and methodologies to protect legacy assets through environmental controls are proven and available today.

Subscribe to the Link & Layer | Smart Learning Hub to receive our "Legacy Asset Protection Framework," including risk assessment templates, configuration guides for major industrial security platforms, and case studies demonstrating how organizations have secured their most vulnerable systems without operational disruption.

Your unpatchable assets don't have to be unprotected assets. Build the fortress around them.



You May Also Be Interested In ...

Cybersecurity Matters
Securing Third-Party Remote Access: Neutralizing the #1 Attack Vector in Industrial Networks

Unsecured vendor RDP and VPNs are the primary entry for ICS attacks. Discover how to implement zero-trust remote access that enables experts without exposing your control network

Read This Article »
Cybersecurity Matters
OT Asset Visibility: How to Eliminate Your Industrial Network's Foundational Blind Spot

Unknown devices create unmonitored attack paths in industrial networks. Discover passive discovery techniques to build a dynamic OT asset inventory without disrupting operations

Read This Article »
Cybersecurity Matters
The Human Firewall: Mitigating Insider Threats in OT Environments

Your technical controls are only as strong as your people. Learn how to build a human firewall against social engineering and insider threats in industrial operations

Read This Article »

We have the solution to meet your exact needs.

Our products get your Industrial Data Communications speaking fluenty!

Talk to Us!