Harry Levinson co-authored this blog post.

Legacy systems continue to play a key role across many organizations. Engineering cybersecurity into these legacy systems presents some unique challenges. In many cases, the original design team is no longer available, leaving the current team with the challenge of changing poorly- and/or un-documented designs and software. Over the years, these systems can become so outdated that they are unable to keep up with new software patterns and development technologies, including the ability to patch known security or design flaws. This blog contains six recommendations to help keep legacy software secure.

In this series on sustainment, we explore key challenges and recommendations in four areas of potentially significant impact that military software organizations must address to evolve from a traditional, waterfall software acquisition-and-development process to newer software development practices, such as DevOps and Agile practices:

• software architecture techniques (addressed in the first post)
• cybersecurity techniques (addressed in this post)
• Agile tools and methods (addressed in the next post)
• software automation (addressed in the fourth and final post)

Our recommendations are based on lessons learned by SEI technical staff in their work with government customers, although they can be applied to almost any sustainment organization, both large and small. This series will examine each of the four areas and explore some key challenges and recommendations.

Cybersecurity engineering is the specialized area of system and software engineering dealing with the development and operation of security controls to defend software-reliant systems from cyberattack. This method must be integrated with all lifecycle engineering activities, including requirements engineering, architecture engineering, design, implementation, integration, test, and deployment. Especially when building large cyber-physical systems, cybersecurity cannot be treated as a separate stovepipe activity or organizations will find it hard to defend their systems. While cybersecurity engineering is applicable across the development lifecycle--from initial planning and requirements engineering--it must also be a key engineering process through delivery, operation, and sustainment of the system

Cybersecurity Challenges for Sustainment Organizations

To maintain large, legacy cyber-physical systems it is important to understand the environment that sustainment organizations work within. First, modernizing legacy systems requires that the sustainment organization stay cognizant of ever-changing cybersecurity engineering challenges. While many legacy systems are secure from cyberattacks because they are not connected to networks, almost anytime significant capability is added it requires the addition of networking capabilities and the necessary cybersecurity controls.

While sustainment engineering teams have a deep understanding of how the legacy system operates, they are often not versed in the most recent cybersecurity techniques. The environment for many cybersecurity techniques is typically applicable only to systems that have modern architecture patterns, software libraries, and development tools. Legacy systems are often based on decades-old technologies and toolsets, so it is hard to apply modern cybersecurity techniques (e.g., reliable software updates). The translation of these newer techniques to the older designs is usually cost prohibitive or impossible to execute.

Another challenge is that current architecture documentation (typically supplied by the prime contractor) may not include sufficient, architecture-level, security control descriptions. This makes it hard to later add or modify cybersecurity software and components, such as, firewalls, encryption units, intrusion detection/prevention systems, and malware programs.

Based on our experience, we've found that the following activities can help smooth the path and enable sustainment organizations to meet the challenges of incorporating cybersecurity into legacy systems.

Six Recommendations for Addressing Cybersecurity of Legacy Systems: For modernizing legacy systems to include cybersecurity, we recommend the following:

1. Incorporate cybersecurity best practices into the systems engineering plan (SEP). Many legacy systems were likely built with limited or no concern for cybersecurity. Software engineering processes for cybersecurity change often. Therefore, when maintaining systems for decades the development and testing processes should be updated frequently. Specific examples include conducting vulnerability scans on the legacy systems, following strict access control protocols, and establishing security monitoring. The SEP should have processes to determine cybersecurity ramifications of changes to the system.
   
   The requirements, design, and testing process areas should include ways to identify and address changes to the system that introduce cybersecurity vulnerabilities or weaknesses. New requirements and implementation changes may increase the attack surface, enable new attack scenarios, or break existing security controls. Code for new requirements may introduce vulnerabilities and make it difficult to meet other requirements. These situations and more must be identified and then addressed with the appropriate cybersecurity best practices.
   
   The SEP should ensure that cybersecurity testing is repeated to verify that changes in implementations do not invalidate the cybersecurity of the system. Cybersecurity test procedures should verify whether the implementation of security controls may have affected application software and prevented the achievement of the important system quality attribute requirements. See 10 Types of Application Security Testing Tools: When and How to Use Them for more information on this topic.
   
   
2. Include guidance on cybersecurity analysis techniques. Even legacy systems need a cybersecurity program plan that includes approaches to identify and describe security analysis techniques. These techniques include identification of which system assets must be protected and attackers and attack scenarios. Along with tools like the Risk Management Framework (RMF), engineers can use the results of these analyses to identify the appropriate security controls.
   
   
3. Know When to Use Best Practices. Especially in legacy systems, not all best practices are relevant or appropriate under all circumstances. Know and understand which best practices are used and why others were not. Decisions and their rational to use or not use a cybersecurity best practice should be included in the cybersecurity program plan or the SEP. Consider using something as simple as a reusable listing of all of the best practice guidelines with checkboxes such as those from the NIST Cybersecurity Framework for implemented, partially implemented, or not implemented with rationale.
   
   
4. Execute cybersecurity analysis techniques to assess the adequacy of system cybersecurity. The security techniques and technologies that are identified in the cybersecurity program plan require tools to implement and execute them consistently. Acquire and use appropriate security tools (e.g., weakness scanners, port scanners, and security-coding standards checkers) during test, integration, and deployment. In addition to static analysis tools, consider using dynamic analysis tools. Results from performing security analyses (e.g., asset identification and attack scenarios) can be used as inputs to develop security test cases.
   
   
5. Keep up-to-date on system patches to minimize exposure and determine when and if it's feasible to update. A deep analysis must be done throughout the sustainment period to evaluate the costs and effectiveness of maintaining the security patches of older operating systems and determine at what point it makes more sense to modernize the system.
   
   
6. Reference the National Institute of Standards and Technology Systems Security Engineering Guide SP 800-160 Volumes 1 and 2. This guide covers security engineering challenges across the development and sustainment of software systems. Volume 1 focuses on the broad area of security engineering, whereas Volume 2 (currently in draft form) focuses on cyber resiliency with the aim of keeping software-reliant systems operational during times of stress and attack. As stated in the introduction, both volumes of the Guide are written

...as a catalog or handbook for achieving the identified security/cyber-resiliency outcomes of a systems engineering perspective on system life cycle processes, leveraging the experience and expertise of the engineering organization to determine what is correct for its purpose. Stakeholders ... can employ some or all of the ... constructs (goals, objectives, techniques, approaches, and design principles) ... and tailor them as appropriate to the technical, operational, and threat environments for which systems need to be engineered.

The system life cycle processes can be used for new systems, system upgrades, or systems that are being repurposed; can be employed at any stage of the system life cycle; and can take advantage of any system and/or software development methodology including, for example, waterfall, spiral, or agile. The processes can also be applied recursively, iteratively, concurrently, sequentially, or in parallel and to any system regardless of its size, complexity, purpose, scope, environment of operation, or special nature.

Wrapping Up and Looking Ahead

Evolving from development to sustainment is a critical activity that organizations must address to plan and execute sustainment activities in an efficient, effective manner. It is beneficial for any new development project that's intended to replace or coexist with legacy systems to include representatives from the sustainment team to aid understanding of the current operating environment and to help identify potential security issues.

Legacy systems present unique challenges for modernization efforts, primarily that they were designed before the current requirements and features were envisioned, particularly networked connectivity. However, cybersecurity can successfully be incorporated into legacy systems by following software engineering practices, including a systems engineering plan, and careful consideration of best practices.

We will continue our discussion about what acquisition teams need from an engineering sustainment organization. Our series will continue with a discussion of modernization and sustainment challenges related to Agile tools and methods.

Additional Resources

Read the first post in this series, Three Architecture Recommendations for Sustainment Organiations.