Free Unlock your 1‑hour consultancy—schedule your session today! »

· Eduardo Vieira · Cybersecurity  · 5 min read

Industrial Cybersecurity Retrofit: Securing Legacy Systems Without Replacement

A practical approach to implementing modern cybersecurity measures for industrial systems from the 1990s and 2000s without disrupting production or requiring complete replacement.

The Unseen Vulnerability: Your Legacy Industrial Systems

In 2025, one of the most pressing challenges in industrial environments isn’t adopting new technology—it’s securing the old. Over 65% of industrial facilities still rely on control systems designed and installed in the 1990s and early 2000s, long before cybersecurity was a consideration.

After conducting security assessments at 17 manufacturing facilities across Latin America, I’ve found that most are running equipment with:

  • No authentication mechanisms
  • Unencrypted communications
  • Direct internet connectivity added as an afterthought
  • Default or publicly known passwords
  • Unsupported operating systems

The dilemma is clear: replacing these systems would cost millions and interrupt critical production, but leaving them vulnerable puts the entire operation at risk.

The Air Gap Myth in Modern Industrial Environments

One of the most dangerous misconceptions in industrial cybersecurity is the belief in air-gapped systems. In reality, true air gaps have virtually disappeared:

  • Maintenance laptops connect to both industrial networks and the internet
  • IIoT initiatives have created deliberate connections
  • Wireless networks often bridge previously separate domains
  • USB drives and removable media regularly cross boundaries
  • Remote access solutions have been hastily implemented (especially post-COVID)

In my security audits, I’ve found that 94% of supposedly “air-gapped” industrial networks had multiple paths to external networks that facility managers were unaware of.

A Practical Retrofit Framework That Doesn’t Break the Bank

Based on extensive work with legacy industrial systems, I’ve developed a methodical approach to securing these systems without replacement. This framework is specifically designed for operational technology already in production.

Stage 1: Network Segmentation and Monitoring

The first line of defense requires no changes to legacy equipment:

  1. Industrial Demilitarized Zone (DMZ) Implementation

    Create a security buffer between your business network and industrial control systems:

    [Business Network] ←→ [Industrial DMZ] ←→ [Control System Network]

    This can be implemented using commercial industrial firewalls or even cost-effectively using robust open-source solutions like pfSense or OPNsense running on suitable hardware, provided they are configured and managed correctly by personnel with appropriate expertise.

  2. Passive Monitoring Implementation

    Deploy network TAPs (Test Access Points) and monitoring systems that observe traffic without affecting operations. This gives visibility without risk.

    For legacy SCADA systems using proprietary protocols, specialized industrial protocol analyzers like Claroty or Nozomi can decode and monitor without interference.

Stage 2: Endpoint Protection for Legacy Systems

For systems running older operating systems (Windows XP/7, legacy Linux):

  1. Application Whitelisting

    Rather than trying to block malicious software (impossible on unsupported OS), only allow known, verified applications to run. Tools like McAfee Application Control can be deployed on Windows XP through 10 without significant performance impact.

  2. USB Port Control

    Implement physical and logical controls on USB ports. This can be as simple as epoxy in unused ports and policy-based controls for necessary access.

  3. Read-Only File System Conversion

    For HMI stations and engineering workstations, convert system partitions to read-only when possible, with separate partitions for changing data. This prevents malware persistence.

Stage 3: Communication Security Retrofits

For securing communications without replacing controllers:

  1. Protocol Converter Deployment

    Install protocol converters that sit between legacy devices and the network, adding encryption and authentication:

    [Legacy PLC] ←→ [Protocol Converter] ←→ [Network]

    Specific converters like the OTG-900 series can add encryption to Modbus, PROFINET, and other common industrial protocols.

  2. One-Way Data Diodes

    For scenarios where data only needs to flow outward (like from sensors to monitoring systems), hardware diodes physically prevent return traffic.

  3. Store-and-Forward Validation

    For critical commands, implement a store-and-forward server that validates commands against known-good patterns before sending to legacy equipment.

Implementation Sequence: The Critical Path That Minimizes Risk

The sequence of implementation is crucial to avoid disruptions:

  1. Start with Monitoring (Week 1-2) Deploy passive monitoring first to understand normal patterns before making changes

  2. Segment Networks (Week 3-4) Implement logical segmentation first, then physical when possible

  3. Protect Endpoints (Week 5-6) Begin with backups, then incrementally apply controls

  4. Secure Communications (Week 7-8) First in parallel (testing), then in production

  5. Develop Incident Response (Ongoing) Create protocols specific to your industrial systems

Real-World Case Study: Refinery Control System Security Retrofit

A recent project securing a refinery with DCS and PLC systems from the early 2000s illustrates this approach in action:

  • Initial State: Complete vulnerability, default passwords, direct business network connectivity
  • Budget Constraint: Security improvements limited to 5% of replacement cost
  • Production Requirement: Zero unplanned downtime for security implementation

The implementation followed our retrofit framework:

  1. Network Segmentation:

    • Deployed industrial firewalls between business and control networks (In some budget-constrained scenarios, configured instances of pfSense/OPNsense on reliable hardware were used effectively here).
    • Created protocol-specific filtering rules
    • Established a secure jump server for authorized access
  2. Passive Monitoring:

    • Installed network TAPs on control network segments
    • Deployed industrial protocol analyzers (Claroty)
    • Established baseline communication patterns over 30 days
  3. Endpoint Protection:

    • Implemented application whitelisting on HMI systems
    • Applied USB port controls (physical locks + policy)
    • Created gold-image backups of all workstations
  4. Communication Security:

    • Deployed protocol converters for encrypting critical communications
    • Installed data diodes for historian connections
    • Implemented store-and-forward validation for critical commands

Results:

  • Implementation cost: 4.7% of full replacement
  • Zero production disruptions
  • 96% reduction in identified vulnerabilities
  • Successfully blocked two attempted ransomware intrusions within six months of implementation

Conclusion: Security Without Disruption is Possible

The approach outlined above has been successfully implemented across multiple industries, from manufacturing to utilities, proving that securing legacy industrial systems doesn’t require complete replacement.

By focusing on the layers surrounding legacy equipment rather than the equipment itself, substantial security improvements can be achieved without disrupting production or breaking maintenance budgets.

For most facilities, the highest ROI comes from addressing these fundamental areas rather than engaging in costly replacement projects that may introduce new vulnerabilities of their own.

Need guidance on securing your specific industrial systems? Contact me for a consultation or share your security challenges in the comments below.

Back to Blog

Related Posts

View All Posts »