Maintenance and continued use of legacy systems by many corporate entities today make the goal of cybersecurity for the world today a tall order. As organizations are transitioning to new systems, the old systems remain running in order to maintain their clients under their current business model. Of course, the reliability of the old system is quite high even if paired by old hardware. Although it is still stable, there are also a lot of system personnel who are judging the timing whether or not to change it, replaced it with current technology. Because the actual “legacy” of the legacy system means “heritage”, there may be people who seem to be negative towards a system that has become a relic of the past, but still being used. It certainly has such a meaning but the reality is a network with legacy devices in it is harder to secure.
Legacy systems still have some advantages because they are all developed and combined with original proprietary specifications from core systems to auxiliary software and hardware, but its merits can be considered as a disadvantage as well. For example, when changing part of an old system, trying to add, modify, or improve it one way or another requires knowledgeable personnel, the engineer who engaged in designing in the past may already be retired. In the absence of a responsible engineer, it becomes difficult to understand the infrastructure and programming of the system, causing the harmful effect that it can not be easily modified. In short, the biggest disadvantage of the legacy system is that the business itself tends to be bound by the system, and in turn suppresses the flexible business reform of the enterprise.
There are many cases where the business requirements and methods of companies change. In such a case, the system needs renovation. Also, the possibility of trouble occurring in the system due to an unexpected disaster cannot be abandoned. Thus, it is one of the aspects for choosing the correct vendor, it should be an expert of their own products and services, especially for repairing or troubleshooting the systems they sell to their clients. The vendor should also be willing to support the systems beyond its ‘market lifecycle’ for a fee, in order to make the future transition away from it as smooth as possible.
Unlike the single individual user of a PC desktop, laptop or smartphone, a corporate system have various parts and aspects that need to be regularly maintained and checked for issues. The older the technology, the fewer people have the working knowledge of its internal workings, hence the maintenance requirement becomes more and more expensive. Key equipment like the supervisory control and data acquisitions systems used for 24/7 operations of firms are vital for a huge enterprise.
As long as the vendors of these systems are willing to fix them (even if not for free), enterprises can keep running old systems without worry other than the increasing cost of support. The methodology that needs to be taken consideration is the idea of operating legacy systems in an air-gapped environment. That means these systems/computers operate only locally with no Internet connection. Connection to the public Internet for old near-discontinued hardware and software is just trouble waiting to happen. This is given as cybercriminals are scanning the Internet all the time to look for devices online with known vulnerabilities. It is not worth for any business to become part of the headlines, just because they made a fatal mistake of having their business-critical legacy systems connected to the public Internet.