Rules and Guidelines
Want to participate in the discussions? Please read our Community Rules and Guidelines. Need some help? Visit Support and Answers.

  • Replies 4 replies
  • Subscribers 21 subscribers
  • Views 1124 views
  • Users 0 members are here
Options
You may also be interested in

Retrofitting Legacy Control Systems to Tackle Evolving OT Cyber Threats

Taimur

Hi everyone,

I’m new to the EngX community and looking forward to learning from you all. I’d like to start a conversation about something I think many of us face and that is updating legacy control systems in power plants and other critical infrastructure, especially when it comes to growing OT cyber threats.

Lot of these systems were designed decades ago, with reliability in mind but little thought given to cybersecurity. Today, they’re exposed to new risks that weren’t imagined back then. The challenge is finding a way to retrofit these systems efficiently and without tearing everything apart or causing long periods of downtime.

In the UK, where our energy and infrastructure systems are heavily relied upon, even a small disruption can create big problems. So how do we make these updates both secure and practical?

I’m particularly interested in hearing how others have approached efficient retrofitting and what worked, what didn’t, and how you balanced the iron triangle of cost, time, quality and scope. Are there certain strategies or tools that helped modernize your systems without overhauling them completely.

Would love to hear your thoughts and experiences.

Thanks,

Taimur | MIET 

  • Control systems many decades old are likely entirely immune to cyber threats - being simpler electronic or electromechanical systems with little or no "smart" components and certainly no internet connection. Therein lies a lesson I think. As for existing more vulnerable systems, building rings of security around them - e.g. either physically separating them from the internet completely or at least hiding them behind multiple layers of firewalls or similar, together with physical access security, will keep the majority of the black hats out. Nothing's ever 100% secure though -  as has been demonstrated relatively recently in the middle east, with enough time, money, effort and determination, anything can be infiltrated - even if it means going back to original equipment manufacturing where destructive components can be incorporated before the end users even take possession of them.

       - Andy.

  • Hi everyone, and thank you for starting this important discussion.

    As someone working in the ICS/OT domain, I’ve seen first-hand how challenging it is to modernise legacy control systems in critical infrastructure—especially in sectors like power generation, where uptime, safety, and compliance are non-negotiable.

    You're absolutely right—many of these systems were built for reliability and longevity, not cybersecurity. But today, with increasing OT cyber threats and growing interconnectivity, we can't afford to ignore the risks. That said, a full system overhaul isn’t always feasible. I’ve found that successful retrofitting lies in balancing risk reduction with practical constraints like time, cost, and operational disruption.

    Here are a few approaches I’ve seen work in practice:

    Small blue diamond Risk-based retrofits using tools like Cyber-PHA or CyberHAZOP to prioritise high-impact upgrades.
     Small blue diamond Network segmentation and DMZs to isolate legacy equipment from enterprise IT and internet-connected systems.
     Small blue diamond Compensating controls such as protocol-aware intrusion detection, application whitelisting on HMIs, and read-only historian interfaces.
     Small blue diamond Secure remote access using jump servers with multi-factor authentication, session recording, and time-bound permissions.
     Small blue diamond Standards-based frameworks like IEC 62443 and NCSC’s Cyber Assessment Framework (CAF) to structure retrofit plans and align with regulatory expectations.

    One strategy that’s worked particularly well is the “wrapper” approach—layering modern protections and interfaces around legacy assets, allowing phased upgrades and limiting downtime. Conversely, what hasn't worked well is trying to lift-and-shift IT tools into OT environments without accounting for latency, determinism, or vendor lock-in.

    I'd be really interested to hear from others here:

    • Have you used similar strategies, or different ones that worked better?

    • What lessons have you learned in terms of balancing security, cost, and uptime during upgrades?

    - Simha

  • If it were up to me I would seriously consider banning all microprocessor relays from swtichgear feeding critical infrastructure - or at least mandate a electromagnetic back-up relays.

    Anything that contains a microchip is subject to supply chain attacks. For example, imagine a hidden backdoor in the chip that renders it inoperable after x years of use etc. etc. If this were to be installed without detection it could cause total chaos given the highly centralized supply of such devices.

    We are constantly being told by our own government that our threat model should include state actors. State actors are more than capable of inserting hardware back doors into devices.

    The fact is that older simpler control systems - particularly if air-gaped - have a much smaller attack surface and are therefore much more resilient to cyber threats.

  • Hi everyone,


    I’ve worked on retrofitting a power plant originally commissioned in 1991, which we upgraded in 2023 to include remote monitoring and control from a central control room. The project involved integrating two different vendor control systems, and I’d like to share some high-level lessons learned that may help others facing similar challenges:

    1. Early Stakeholder Engagement & Site Surveys
    Engaging stakeholders early, especially OT and cybersecurity teams and conducting multiple site surveys proved invaluable. These steps helped us gain technical understanding of the legacy systems and identify potential risks upfront. Setting expectations early with all parties helped streamline decision.

    2. Structured Engineering Approach Using IEC 61508
    We followed a gated verification and validation model inspired by IEC 61508, even for OT systems. This included:

    -Getting architecture drawings and Functional Design Specifications (FDS) approved early.
    -Progressing through detailed design and testing stages in a structured manner.

    This approach helped manage risks and ensured clarity in networking and system integration.

    3. Safety Systems: Keep It Simple and Isolated
    For safety-critical systems, simplicity and isolation are key. We avoided complex or “smart” relays and emphasized regular proof testing to maintain reliability and reduce cybersecurity exposure.

    4. Pre-Outage Testing
    Conducting the majority of tests before the outage is always a success factor. This included:

    Network compatibility testing.
    -Installing network interfaces outside the control system scope early.
    -Using virtual machines to simulate and validate connectivity.
    This allowed the customer to perform penetration testing well in advance, reducing surprises during commissioning.

    5. Contractor Engagement
    If third-party contractors are involved, include them in site surveys. This improves their understanding of the project scope and helps in obtaining more accurate and competitive quotes.

    Most of the key OT considerations have already been well covered in this thread, but I hope these additional insights help others planning similar upgrades. Happy to discuss further if anyone has questions.

Community Rules & Guidelines