Keep Your Legacy Operations Systems Running Smoothly

Without Compromising Corporate Cybersecurity!

As I talk to Facility Executives and Energy Managers, one of the frustrations I hear regularly revolves around managing legacy systems like HVAC, Lighting and other building controls. The equipment is functioning properly, but often the energy management software runs on an end-of-life operating system that gives corporate security departments major concern.

Facility execs are being pushed to replace or upgrade software and sometimes proprietary hardware for the security of the corporate network.

In most of these cases there is no ROI in replacing what is working well within acceptable parameters. I would suggest that it is a terrible time to replace a fully functional working system as you should wait for a stronger ROI with more strategic investments in the years ahead and not be stuck waiting while you depreciate an unnecessary and untimely upgrade.

This is a challenge that is going to continue to ramp up in the next few years.

Matching the longer life cycle of facilities equipment (often 7 to 15+ years) to the life cycle of IT systems (often every 2-3 years) is difficult and very, very expensive. Facilities systems are often intended to last for 10 years or longer. Instead of trying to match the life cycle of IT – make IT match the life cycle of operations technology.

The risk to the corporate network is very real.

I will save this topic for another blog but know that the stakes are incredibly high.Facilities managers are seemingly stuck between a rock and a hard place. There is a way out.

Build a secure OT network that runs parallel to the corporate network and fully air-gapped from the corporate network.

Building and running a dedicated OT network is 99% of the time significantly less expensive than upgrading software and replacing hardware. A dedicated and parallel operations network approach also supports adding a wide range of other operations technologies that IT and information security departments have denied on the corporate network.

You might be wondering: why is it safe to run end-of-life software on a separate network but not on a corporate network?

First, a corporate network is designed to support lots of users and lots of services and exposing that network to aging systems that are vulnerable to hacks can create major issues (such as the infamous Target Retail hack in 2016). Generally, on a corporate network you start with a wide range of services open to support all of the enterprise needs and then the IT and information security teams lock down what they can.

On the other hand, an OT network is completely private and separate from the corporate network. In fact, the whole network can be invisible or undiscoverable. Each system and device is secured and access is added only as needed (think a mechanical room versus lobby).

An OT network has far fewer users and far fewer services thus it is easier to mitigate the risk of an end-of-life system. You could even completely isolate your legacy equipment from your newer ops tech.

Finally, the OT network is not connected to the key enterprise systems that IT and information security is protecting – vital customer and employee records and confidential financial information – so the risk of your legacy systems are completely mitigated if you run a dedicated OT network for all of your operations systems!