Based on previous weeks and months of discussions on digital pathogens, toxic systems, environments, and environmental impacts of digital pollution. I believe we can conclude that legacy systems are problematic, and replacing such systems can go a long way toward curbing and better managing cybersecurity issues. Another aspect is marking good products and software so purchasers can make educated choices.
Many legacy systems work as designed from a business and productivity perspective. These systems have done so for many decades. It is when systems designed to not communicate over networks are networked that problems arise. If these systems are not part of a networked environment, we can let them continue doing what they do.
However, in the world of industrial control systems, we see a move towards maximizing resource efficiency by allowing remote management to exist. That change has brought big problems with it.
Some methods have enabled remote control, such as one-way gateways. Another way, of course, is to devise a way to prevent specific software applications from being used on legacy systems. While a bit more complicated, it may be a viable option. How has this been done in other industries?
We have, for example, motor vehicles that were built before the enactment of laws that disallow vehicles to operate on roads that create a lot of pollution. You must modify such cars to reduce pollution or spend the rest of their lives looking pretty in an inoperable state. Depending on where you live in this world, this can be very strictly enforced and does seem to work well.
Another control is prohibiting the manufacturing and selling of known pollutants for such vehicles, such as leaded gasoline or Freon used in older air conditioning systems. Restrictions like this would correspond to software that is simply “environmentally unsound” in a world where cybersecurity issues abound.
Once we have such controls in place, what it comes down to is having methods, as previously discussed, to test such systems for both the existence of problematic software and the vulnerabilities to attacks.
All of this is achievable, but remember that one of the most significant issues today is that cyber environmentally toxic and vulnerable systems are still being produced. That is the first hurdle we must face. So how do we figure out a way to allow such systems to work within our new, less toxic environment?
Cybersecurity certification and labeling could be one solution. Some cybersecurity authorities have recently launched programs (Finnish Cybersecurity Label & Singapore Cybersecurity Labelling Scheme (CLS)) to check and label IoT products containing software and internet connectivity that they consider safe. They have also agreed to mutual recognition of their respective labels as guaranteeing a similar level of cybersecurity maturity.
A manufacturer that wants to have the label submits the product approval by the agency. It must meet certain preconditions that show it is protected against the most common cybersecurity attacks to be approved. Pre-approving works well to ensure that we don’t pollute the cyber environment with known pollutants and that deployed products also have the necessary update protocols to keep them secure.
The voluntary labeling only works once the public knows and understands the value of such labels. For that reason, it’s essential to spread awareness about them. Hopefully the certification and labeling practice will spread to all the other countries, and that it will also be extended to the world of industrial control systems.