Retrofitting Legacy Control Systems to Tackle Evolving OT Cyber Threats

Hi everyone, and thank you for starting this important discussion.

As someone working in the ICS/OT domain, I’ve seen first-hand how challenging it is to modernise legacy control systems in critical infrastructure—especially in sectors like power generation, where uptime, safety, and compliance are non-negotiable.

You're absolutely right—many of these systems were built for reliability and longevity, not cybersecurity. But today, with increasing OT cyber threats and growing interconnectivity, we can't afford to ignore the risks. That said, a full system overhaul isn’t always feasible. I’ve found that successful retrofitting lies in balancing risk reduction with practical constraints like time, cost, and operational disruption.

Here are a few approaches I’ve seen work in practice:

 Risk-based retrofits using tools like Cyber-PHA or CyberHAZOP to prioritise high-impact upgrades.
  Network segmentation and DMZs to isolate legacy equipment from enterprise IT and internet-connected systems.
  Compensating controls such as protocol-aware intrusion detection, application whitelisting on HMIs, and read-only historian interfaces.
  Secure remote access using jump servers with multi-factor authentication, session recording, and time-bound permissions.
  Standards-based frameworks like IEC 62443 and NCSC’s Cyber Assessment Framework (CAF) to structure retrofit plans and align with regulatory expectations.

One strategy that’s worked particularly well is the “wrapper” approach—layering modern protections and interfaces around legacy assets, allowing phased upgrades and limiting downtime. Conversely, what hasn't worked well is trying to lift-and-shift IT tools into OT environments without accounting for latency, determinism, or vendor lock-in.

I'd be really interested to hear from others here:

• Have you used similar strategies, or different ones that worked better?

• What lessons have you learned in terms of balancing security, cost, and uptime during upgrades?

- Simha

Indeed, but physically you've still got a single "box" that's capable of bi-directional communication on both sides, relying on just the software not to pass data in a particular fashion - and software can sometimes be compromised (either bugs or by malicious acts). I'm not saying it's not a useful defence - just not something to rely on as your only barrier. More part of an overall "defence in depth" approach (in the same way that firewalls would only be one layer of defence in a proper system).

   - Andy.

Ah, if there is a physical one-way valve, (e.g. opto) and it's not a common system fore and aft of that (e.g. same processor writing and reading from the opto pat), then that would provide more reassurance. But still, multiple layers of defence are often more reliable. Single points can and do fail.

   - Andy.

What is your threat model and what does it include? Are we talking about a teenage script kiddie in his bedroom scanning for open ports and running exploits or are we talking about sophisticated state-sponsored actors?

As others have pointed out, some diodes are glorified packet filterers or firewalls and you're putting trust in a single company. This may or may not be a good idea than using open-source solutions that have a decentralised verification model.

Bruno Silveira said:

Updates are done via an air-gapped cloud infrastructure(on a separated connection only open at specific time slots). Basically we effectively "trip the breaker" between our office environment and our power controls.

Is your network of sufficient importance to attract Stuxnet-type attacks?  If so, be aware that they might sit and wait for you to reconnect the network.  Or even piggy back on whatever data transfer device you use even if you never connect the network.

Hello,

a data diode is a piece of hardware that enforces a one-way flow of data using physics. It relies on a transmitter (like an LED) on the sensitive side and a receiver (like a photo-sensor) on the corporate side.

Which means stream operational data out to the corporate network, but it is physically impossible for a hacker to send malicious commands in, because there is no transmitter on the receiving end to send data back.

In our case the cyber vectors are mainly:

• IT-to-OT Pivoting: Attackers compromise the corporate IT network , then pivot into the OT network due.
• Exploiting the Decentralized Edge: The rapid integration of millions of decentralized renewable energy sources drastically expands the attack surface. 
• Legacy OT Protocols: Similar to the rest of the world, older substations still rely on industrial protocols designed without modern encryption or authentication.

• Nation-State Actors (APTs)
• Cybercriminals
• Supply Chain Threats

Hello,

there is any alternatives to TPM 2.0 and Secure Elements(In our case we use Titan security chips) ?

Cheers,

Bruno Silveira said:

there is any alternatives to TPM 2.0 and Secure Elements(In our case we use Titan security chips) ?

You're getting beyond my knowledge there.

But if it's a nation state attacker, assume they can get anything securely signed that needs to be. And that they know all the security flaws that haven't been publicly disclosed yet.

I'm no expert but my understanding is that not all such hardware use one-way physical channels (see Owl_Talon_one_Card_Datasheet_V7.pdf). Even if a fiber optic cable is used, can it be independently verified that no 2-way transceiver is installed e.g. hardware backdoor?

The concept sounds reasonable but just making the point that with security-specific customised hardware you're putting putting a lot of trust in one vendor which is potentially a target for supply-chain attacks. Same for so-called "secure element" chips.

no 2-way transceiver is installed e.g. hardware backdoor?

well, in some shall we say, ' quite important'  places the fibres run from place to place in clear trunking or conduit throughout their whole length so they can be visually  inspected by security guards , who know what the installation  is supposed to look like from their previous rounds. Any extra wires or boxes would trigger the process for discovering an incident.

Fibres can be 'tapped' unbroken by carefully bending them around a tight radius close to the snapping point, so that some of the light is scattered from the core into the cladding. This can be detected if it is over done by the reduced signal level at the far end. 

The idea of the fully inspectable length is that any such equipment would be spotted.

Regards,

Mike

But even with a very short length of FO, how can you tell it's really only transmitting in one direction?

But even with a very short length of FO, how can you tell it's really only transmitting in one direction?

Tim Boler said:

But even with a very short length of FO, how can you tell it's really only transmitting in one direction?

Buy extras of the equipment at each end. Strip it down and see what is inside. If it's got a receiver on the transmit side, or a receiver on the transmit side, it's not a proper data diode, but something programmed to act like one.