A few years ago, a report from the U.S. Government Accountability Office (GAO) revealed that 10 legacy systems belonging to federal authorities were between 8 to 51 years old and cost approximately $337 million annually to maintain. These systems were present in the Departments of Defense, Education, Treasury, Homeland Security, Transportation, and Social Security Administration and included a 14-year-old COBOL system in use by the Air Force and an 18-year-old industrial control system utilized in U.S. dams and power plants.
While most of our federal agencies have made concerted efforts to modernize their technology and move to cloud environments, others have either partial or no technology improvement plans in place. One good example of the successful modernization of legacy systems is the U.S. Air Force, which underwent updates despite the considerable budgetary strain of the contract. GAO reports recorded savings reached approximately $34 million annually. Unfortunately, although all federal agencies have been made aware of the risks associated with using legacy systems, many simply lack the funds, skilled personnel, time, and expertise to navigate such large-scale changes.
To address this need, the U.S. Government has introduced special initiatives for critical infrastructure entities, such as the Bipartisan Infrastructure Law (BIL). This legislation addresses pressing technology modernization needs by allocating funding to deserving organizations, aiding them in fortifying their defenses against escalating cyber threats. Early indicators suggest that BIL funding has surpassed $448 billion, supporting 51,000 projects encompassing road paving, water systems, bridges, and other extensive transit initiatives.
Where are Legacy Systems Still In Use?
- Power Plants and Manufacturing: Legacy systems are utilized to control hardware in power plants and manufacturing machines, often running on outdated software like MS-DOS.
- Banking and Finance: Financial institutions rely on legacy mainframe systems for core banking operations such as transaction processing, customer data management, and account management.
- Healthcare: 80% of institutions still rely on legacy systems, as per the Health Information and Management Systems Society (HIMSS). These often include Electronic Health Record (EHR) systems, incorporating legacy components due to the complexity and longevity of patient records.
- Government: Government agencies use legacy systems for tax processing, social security administration, and public records management.
- Transportation: Legacy systems are found in transportation infrastructure, including air traffic control systems, railway signaling systems, and traffic management systems.
- Utilities: Energy and utility companies depend on legacy systems for managing power generation, distribution, and infrastructure monitoring.
- Retail: Many older retail environments utilize legacy systems in point-of-sale (POS) systems for sales transactions.
- Telecommunications: Many telecommunication networks incorporate legacy systems for billing, call routing, and network management.
Why do We Need to Pay Attention to Legacy Systems Used by Critical Infrastructure?
To put it simply, cyber attackers enjoy targeting legacy systems, as they are easy to exploit—akin to taking candy from a baby! Due to their age and lack of support, legacy systems often harbor critical vulnerabilities that can be exploited by malicious actors. Similarly, end-of-life software, lacking security updates, becomes an attractive target for hackers seeking to exploit known vulnerabilities. For instance, Microsoft no longer supports Windows 7 or earlier versions and Apple dropped support for macOS versions prior to macOS 11 (Big Sur), thus putting any company or individual using these versions at risk of attack.
Additionally, as legacy systems are extensively used across critical infrastructure sectors, such as dams, water treatment systems, power plants, hospitals, and schools, any attack on them can have significant immediate and far-reaching consequences. Furthermore, despite modernization efforts, many legacy systems are vulnerable to inter-system attacks as they lack robust defenses compared to the cloud-based platforms they are linked to, leaving U.S. infrastructure organizations highly susceptible to exploitation.
In the words of Christopher Wray, Director of the Federal Bureau of Investigation, who reported that Chinese government-linked hackers had breached a large portion of US critical infrastructure, including 23 pipeline operators, “The fact is, the People’s Republic of China’s targeting of our critical infrastructure is both broad and unrelenting.” He also warned that hackers would aim to “to land low blows against civilian infrastructure to try to induce panic.” – Vanderbilt Summit on Modern Conflict and Emerging Threats, Nashville, April 18, 2024
A few months ago, the FBI issued a statement warning critical infrastructure entities against potential attacks. Notably, US critical infrastructure has been under a steady series of cyberattacks led by international state-backed hackers from Russia and China.
Recent Attacks on Critical Infrastructure Facilitated Through Legacy Systems or Unpatched Software
| When | Critical Sector | Target | Attacker | Effects |
| Jan 2024 | Water Supply | Muleshoe Water Plant | People’s Cyber Army of Russia | Town’s drinking water tank overflowed for 30- 45 minutes |
| Jan 2024 | Healthcare | Capital Health Hospitals | Lockbit ransomware | Stole 10 million files |
| Jan 2024 | Library | Douglas County Libraries | Playcrypt (Russian) | All systems down for a week |
| Jan 2024 | Water Systems | Veolia Water Systems | Unkown/Black Basta | Operations for 416 facilities in the US and Canada could have been affected |
| Jan 2024 | Energy | Schneider Electric | Cactus Ransomware | Stole data, disrupted cloud platform |
| Feb 2024 | Healthcare | Lurie Children’s Hospital | Rhysida ransomware | Disrupted medical services, phone and email communications. IT systems had to be taken offline, 600 GB of data stolen |
| Feb 2024 | Government | California State Worker Union | Lockbit ransomware | Stole 308 Gb of data |
| Feb 2024 | Healthcare | UnitedHealth | BlackCat Ransomware | Healthcare billing outage, stole 6TB of data |
| Feb 2024 | Healthcare | Change Healthcare | BlackCat ransomware | Network and billing disruptions |
| Feb 2024 | Government and Education | CKeditor (14-year old CMS platform) | Unknown | MIT, Purdue, Washington and Columbia Universities and government sites in Virginia and Texas had poisoned search results with malicious sites. |
| March 2024 | Electricity and Water Utility | Muscatine Power and Water | Unknown | 36,955 Social security numbers compromised, systems were down for several days |
| March 2024 | Education | Pennsylvania’s Scranton School District | Unknown | Widespread technology outages |
| March 2024 | Government and Education | Henry County, Illinois | Medusa ransomware | Government systems and colleges affected |
| March 2024 | Government | Alabama Government and City of Birmingham | Anonymous Sudan | Service and network issues for several days |
| March 2024 | Healthcare | Harvard Pilgrim Healthcare | Unknown | Compromised data of 2.8 million users |
| April 2024 | Government | New York City Automated Personnel System, Employee Self Service | Unknown | City payroll had to be taken offline, tax filing disrupted |
| April 2024 | Government | Tarrant County Appraisal | Medusa ransomware | 218 GB of data stolen |
| April 2024 | Healthcare | Group Health Cooperative of South Central Wisconsin | BlackSuit ransomware | Stolen data of 500,000 individuals |
| April 2024 | Education | New Mexico Highlands University (NMHU) and East Central University | BlackSuit ransomware | disrupted classes and exposed sensitive student data |
| April 2024 | Finance | D.C. Department of Insurance, Securities and Banking (DISB) | LockBit ransomware | Stole 800GB of data |
What many organizations fail to understand is the magnitude and scale of the efforts behind each attack. For instance, the Hale County Water Supply system in Alabama had 37,000 attempts in four days to bypass its firewall. Eventually, their systems had to be taken offline for protection. The MuleShoe Water Plant was simultaneously targeted but failed to intercept the attack. In comparison, the Port of Los Angeles, a large-scale target, was subjected to more than 750 million cyber intrusion attempts on 80% of its cranes in 2023.
In counter measures, the FBI gained control of a ransomware website, LockBit, and shut down their operations for a while, but like every other tech-savvy organization, LockBit rallied and was soon back in cybercrime. As LockBit’s alleged leader, LockBitSupp, puts it:“I plan to continue working until my death. I don’t have a goal for a year or for five years. My only goal in life is to attack one million companies around the world and go down in human history as the most destructive affiliate program.”
To combat this level of cyber onslaught and battalion of groups led by single-minded leaders such as LockBitSupp, it is imperative that all organizations—particularly those in critical infrastructure sectors—modernize their legacy systems and adopt cybersecurity managed services—at least, until they are able to upskill their existing personnel and practices.
How to Safeguard Legacy Systems from Attacks
- Ensure Basic Cybersecurity Measures: Implement essential security measures like passkeys, complex passwords, multi-factor authentication, routine backups, updates, and frequent software patches to prevent cyberattacks.
- Use a Modular System: If you have to use legacy systems, segregate them from the main network to prevent widespread compromise during cyberattacks. Employing modular systems will allow you to implement isolated shutdowns and incremental upgrades.
- Regularly Audit All Assets: Conduct routine audits of all software and hardware systems and track products approaching their end of life (EOL) or end of support (EOS). Failure to do so can expose systems to exploitation by threat actors.
- Utilize a Multi-Layered Defense: Implement a multi-layered security approach that takes into consideration legacy systems. Opt for customized cybersecurity solutions compatible with older systems and use firewalls, intrusion detection and prevention systems, and robust antivirus software.
- Have an Incident Response Plan: An incident response plan establishes clear roles, responsibilities, and procedures to deal with a cyber breach. It helps organizations minimize the impact of incidents, reduce downtime, and safeguard critical assets.
- Manage your Attack Surface: Having a comprehensive view of an organization’s complete attack surface is crucial for identifying legacy systems and understanding their interconnections across the organization. By utilizing Securin ASM, organizations can monitor their attack surface effectively, identify misconfigurations or vulnerabilities, and prioritize remediation efforts to manage legacy systems effectively.
Ultimately, the goal should be to modernize and replace legacy systems. As cyber threats on critical infrastructure escalate, immediate action is imperative.
U.S. state officials and security leaders must prioritize the modernization of legacy systems with comprehensive cybersecurity strategies, including regular penetration testing and vulnerability management. Collaborative initiatives such as the Cybersecurity and Infrastructure Security Agency’s (CISA) Joint Cyber Defense Collaborative (JCDC) and AI-powered tools are great solutions to rapidly and expansively enhance defense mechanisms. Again, it is essential to select adaptable products that are compatible with legacy systems. Additionally, continuous monitoring, timely patching, and collective efforts towards information sharing are essential to outpace evolving threats and safeguard essential services.