Could Outdated Operating Systems Lead to Vulnerabilities?

Share on facebook
Share on twitter
Share on linkedin

Do you have a machine in the corner of your operations that runs a specific legacy application?  Maybe it’s only used once a quarter, that might be running Windows 95? You may just have identified the risk.  Next steps, evaluating and making sure the budget and resources are spent reducing the right risk. Could outdated operating systems lead to system vulnerabilities at your company?

If it’s office machines, the path to upgrade is easier and should be taken.  But the challenge presents itself when these legacy systems are tied to manufacturing equipment. Best Practice is to upgrade because upgrading ensures the OS is patched and updated with the latest security measures.  It also ensures that reactive security measures (like anti-virus/malware) software and proactive software (intrusion detection/prevention) can run.  But, the practicality of upgrading can usually lead to upgrading legacy software, which creates a larger project. 

Best Practice is to upgrade because upgrading ensures the OS is patched and updated with the latest security measures. 

Typically, Black Bottle Security suggests taking a practical approach if the legacy machines are accessible to outside internet (outgoing or incoming), or can be accessed by other machines on the network.  There is little choice but to keep current with the OS upgrades and all the related costs. However, if the legacy can be isolated, there could be a case made to align the OS upgrade to the upgrade if the legacy software. 

Some Stats from the Internet of Things marketplace

58% of IoT adopters believe IoT is increasing the risk of cyberattacks. However, half of the IoT adopters claim that they do not have a plan to prevent losses from possible security threats. Gartner predicts that 25% of attacks will involve IoT, while the spending on IoT security will reach $547 million. 

Examples of IoT in Manufacturing

  • Efficiency – Sensors and machine productivity metrics are gathered, sent to a cloud-based analytics engine, and gives shop floor managers data to determine new improvements or measures existing initiatives.  Lots of data is leaving the facility, but 
  • Quality – Sensors that monitory the calibration of machines, the environmental conditions, and the machine health are all data points that can be used in a quality management program.
  • Safety – Monitoring of environmental conditions, worker movement and health metrics (like a heartbeat, and body temperature) are all used to alert shop floor managers/doctors of, dangerous conditions and predict/prevent employee injuries.

Security Risks and Solutions

Obviously, the collection of this data, especially the health metrics pose a large liability. Since the sensors are small and widely distributed, the flow of this information needs to be architected in a way that allows the company’s internal detection/intrusion network segments to make sure that threats are discovered/prevented.  Most internal IT staff/3rd Party Managed Service Providers do not have the expertise to monitor and respond to this of activity, so either hiring an in-house Security Operation Centers (SOC) or engaging a 3rd party is a good solution to mitigate this risk.

Incident Response

The bottom line is that there are those who are about to get hacked and those you are about to get hacked again. No one is safe. What are the considerations manufacturers should have regarding awareness about their exposure and how to respond to incidents once they have been hacked?

  • How do I protect my business and the employee if I am compromised and more information is leaked from my organization – insurance, identity theft, employee identity monitoring, dark web monitoring,
    • Mitigation of this risk is definitely multi-pronged.  There is no silver bullet.
      • Insurance – This mitigates the financial risk of responding to a data breach, but a data breach has more consequence than financial, the reputation of the Company (internal employees/external clients/vendors) is also at risk.
      • Dark Web Monitoring — is a good way to gauge the threat level, it will quantify the amount of sensitive information that could be used fraudulently.  This should be used more as a ‘scorecard’ as to the impact of security measures, rather than any preventative or proactive approach.
      • Employee Identify Monitoring – Again, this is more of a measurement of the program in place to keep data safe.  However, this does provide some actionable intelligence for each employee/Company to act on to remediate any situations.
Most email hacks begin with a phishing email that asks for credentials.  Security Awareness Training is the key to reducing this risk.
  • Email hacking; really incident response
    • Most email hacks begin with a phishing email that asks for credentials.  Security Awareness Training is the key to reducing this risk.
    • Security Monitoring (either client-based or location-based) with the corresponding SOC team monitoring the activity, is another layer that will report suspicious activity and the appropriate response can be taken.
  • Ransomware
    • There are client apps that can prevent most ransomware.  These are all client-based solutions, so this assumes all computer endpoints have it installed.  Not 100%, but it’s a layer.
    • The only 100% prevention of Ransomware is to have good, tested backup procedures and the frequency that makes sense for each organization, at minimum daily.
  • Getting around backups and preventative measures, etc.
    • Active Hunting — Having the Intrusion Detection/Prevention Monitoring with related SOC team can actively hunt for threats before and actual data loss/incident occurs.
  • Hackers being in the system for months
    • This is true, most attacks happen in small phases, searching for the network vulnerabilities, systematically.  Looking at activity by itself, is not enough, correlating lots of activity begins to paint a picture that a threat actor has infiltrated the perimeter and is searching for valuable data to steal. 

How do you answer, could outdated operating systems lead to vulnerabilities within your company? Black Bottle helps clients reduce their cybersecurity risk and achieve the necessary regulatory compliance. Through a practical approach that is tailored toward each client, Black Bottle will develop a comprehensive plan to address short term needs while creating a culture of continuous cybersecurity improvement through people, process and technology.

Contact us today to get started with a Free Risk Assessment

NIST compliance

The NIST Cybersecurity Framework

as originally circulated and printed by the MEP National Network The Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) helps