Securing Legacy SCADA Systems: Practical strategies for the oil and gas industry

Author: Shewale, Vilas

Publisher: Zenodo

DOI: 10.5281/zenodo.17291827

Source: https://zenodo.org/records/17291827/files/WJARR-2025-1575.pdf

 Co esponding au ho : Vilas Shewale
Copy igh © 2025 Au ho (s) e ain he copy igh o his a icle. This a icle is published unde he e ms o he C ea i e Commons A ibu ion License 4.0.
Secu ing Legacy SCADA Sys ems: P ac ical s a egies o he oil and gas indus y
Vilas Shewale *
Independen Resea che , USA.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 341-346
Publica ion his o y: Recei ed on 23 Ma ch 2025; e ised on 30 Ap il 2025; accep ed on 02 May 2025
A icle DOI: h ps://doi.o g/10.30574/wja .2025.26.2.1575
Abs ac
Legacy SCADA sys ems in he oil and gas indus y ace signi ican cybe secu i y challenges due o aging in as uc u e,
inc easing IT/OT con e gence, and e ol ing h ea landscapes. These sys ems, o en designed be o e cybe secu i y was
a p ima y conce n, lack mode n secu i y ea u es while con olling c i ical in as uc u e componen s essen ial o
na ional ene gy secu i y. The combina ion o ou da ed ope a ing sys ems, p op ie a y ha dwa e wi h limi ed upda e
capabili ies, and p o ocols wi hou au hen ica ion o enc yp ion c ea es subs an ial ulne abili ies. Comple e sys em
eplacemen is ypically imp ac ical due o p ohibi i e cos s and ope a ional dis up ion isks. This a icle add esses
p ac ical, cos -e ec i e secu i y s a egies ha can be implemen ed while main aining ope a ional in eg i y. By
examining ne wo k segmen a ion, indus ial p o ocol-awa e in usion de ec ion, applica ion whi elis ing, hos
ha dening, and unidi ec ional secu i y ga eways, he a icle p esen s p o en de ensi e measu es speci ically ailo ed
o legacy SCADA en i onmen s. These app oaches acknowledge he ope a ional cons ain s o indus ial con ol
sys ems while p o iding meaning ul secu i y imp o emen s ha signi ican ly educe exposu e o mode n cybe h ea s
wi hou equi ing wholesale eplacemen o exis ing sys ems.
Keywo ds: Legacy SCADA Secu i y; Oil and Gas Cybe secu i y; Ne wo k Segmen a ion; P o ocol-Awa e In usion
De ec ion; Applica ion Whi elis ing; Unidi ec ional Ga eways
1. In oduc ion
Oil and gas in as uc u e elies hea ily on SCADA sys ems o moni o and con ol asse s ac oss as geog aphic a eas.
Acco ding o he Indus ial Con ol Sys ems Cybe Eme gency Response Team (ICS-CERT), hei assessmen ac i i ies
in 2016 iden i ied 701 ulne abili ies in con ol sys em de ices and so wa e, wi h 130 being classi ied as high-impac
ulne abili ies ha could di ec ly a ec c i ical in as uc u e ope a ions [1]. The ene gy sec o was among he op
h ee mos ulne able c i ical in as uc u e sec o s, alongside c i ical manu ac u ing and communica ions.
Legacy SCADA sys ems p esen unique secu i y challenges. A 2021 su ey e ealed ha 61% o ac o ies s ill un
ou da ed ope a ing sys ems like Windows XP and Windows 7 in hei OT en i onmen s, wi h 89% expe iencing cybe
inciden s a ec ing p oduc ion and 72% su e ing sys em ou ages wi hin he pas 12 mon hs [2]. These legacy sys ems
ypically ha e 15–20-yea li ecycles compa ed o he 3–5-yea e esh cycles o IT sys ems.
The secu i y challenges a e compounded by inc easing IT/OT con e gence, wi h ICS-CERT iden i ying ha 27% o
epo ed inciden s we e di ec ly ela ed o bounda y p o ec ion issues be ween IT and OT ne wo ks [1]. This
connec i i y c ea es new a ack ec o s while legacy sys ems o en lack basic secu i y ea u es:
•61% o o ganiza ions lack p ope ne wo k segmen a ion be ween IT and OT [2]
•52% epo di icul y in implemen ing pa ches in OT en i onmen s [2]
•75% o inciden s assessed by ICS-CERT in ol ed ex e nal IP add esses [1]
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 341-346
342
• 40% o o ganiza ions expe ience challenges in moni o ing hei OT en i onmen s [2]
Comple e eplacemen o hese sys ems is cos ly and ime-consuming, wi h signi ican ope a ional dis up ion isks.
Gi en hese cons ain s, o ganiza ions mus implemen p ac ical secu i y imp o emen s ha wo k wi hin ope a ional
limi a ions while signi ican ly educing isk exposu e.
This a icle examines cos -e ec i e s a egies o secu ing legacy SCADA en i onmen s wi hou wholesale eplacemen ,
ocusing on de ensi e measu es wi h demons a ed e ec i eness in p oduc ion en i onmen s.
Table 1 Secu i y Challenges in Legacy SCADA En i onmen s [1, 2]
Secu i y Challenge
Pe cen age o O ganiza ions A ec ed
Ou da ed OS (Windows XP/7)
61%
Cybe inciden s a ec ing p oduc ion
89%
Sys em ou ages (pas 12 mon hs)
72%
Lack o IT/OT segmen a ion
61%
Pa ching di icul ies
52%
Ex e nal IP in ol emen in inciden s
75%
OT moni o ing challenges
40%
2. Ne wo k Segmen a ion and De ense-in-Dep h A chi ec u e o Legacy SCADA Sys ems
Ne wo k segmen a ion is c ucial o p o ec ing legacy SCADA en i onmen s agains mode n cybe h ea s. Acco ding
o he Secu i y Su ey, only 8% o o ganiza ions epo ha ing a o mal o comple e sepa a ion be ween IT and OT/ICS
ne wo ks, wi h 70% ha ing only minimal- o-mode a e sepa a ion o no sepa a ion a all [3]. This inding unde sco es
why he ISA/IEC 62443 s anda d has become he ounda ion o indus ial ne wo k secu i y a chi ec u e.
When implemen ing ne wo k segmen a ion in legacy en i onmen s, o ganiza ions ace signi ican challenges. The
su ey e ealed ha 32% o o ganiza ions ega d imp ope ne wo k segmen a ion as hei op secu i y conce n, while
54% epo ed di icul y in moni o ing o de ec ing suspicious a ic a he IT-OT bounda y [3]. This lack o sepa a ion
c ea es signi ican isk, as a acke s commonly exploi connec i i y weaknesses o gain ini ial access.
2.1. The implemen a ion o zone-based a chi ec u e equi es s a egic planning:
• Only 44% o o ganiza ions ha e deployed secu i y zones and condui s as ecommended by IEC 62443
s anda ds [3]
• 50% o o ganiza ions ci e he lack o skilled s a as a majo ba ie o imp o ing ICS secu i y [3]
• Unidi ec ional ga eways educed he a ack su ace by 100% in speci ic applica ion a eas while main aining
da a accessibili y [4]
• P ope ly implemen ed condui con ols educed unau ho ized connec ion a emp s in s udied en i onmen s
Fo p ac ical implemen a ion, esea ch indica es ha o ganiza ions should alloca e ime o ne wo k baseline
de elopmen using passi e moni o ing ools, wi h a phased app oach o segmen a ion deploymen . A case s udy by
SEL showed ha implemen ing inc emen al segmen a ion wi h secu e enginee ing access ac oss mul iple subs a ions
imp o ed secu i y while main aining ope a ional equi emen s [4].
Table 2 S a e o Ne wo k Segmen a ion in Indus ial O ganiza ions [3]
Segmen a ion S a us
Pe cen age o O ganiza ions
Fo mal/comple e IT/OT sepa a ion
8%
Minimal- o-mode a e sepa a ion
70%
Implemen ed secu i y zones/condui s
44%
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 341-346
343
Ci e lack o skilled s a as ba ie
50%
Repo segmen a ion as op conce n
32%
Di icul y moni o ing IT/OT bounda y
54%
2.2. The mos success ul implemen a ions sha ed common cha ac e is ics:
• De ense-in-dep h a chi ec u e wi h mul iple laye s o p o ec ion (physical, elec onic, and p ocedu al)
• De ailed ne wo k documen a ion and a ic low analysis be o e implemen a ion
• Use o p o ocol-awa e bounda y con ols wi h speci ic indus ial p o ocol suppo
• Regula alida ion o segmen a ion e ec i eness h ough con olled es ing
The SEL implemen a ion demons a ed ha p ope ly designed ne wo k segmen a ion could simul aneously imp o e
secu i y, eliabili y, and ope a ional isibili y when hough ully applied o legacy SCADA en i onmen s [4].
3. Indus ial P o ocol-Awa e In usion De ec ion Sys ems o Legacy SCADA
Indus ial p o ocol-awa e in usion de ec ion sys ems (IDS) ep esen a c i ical secu i y laye o legacy SCADA
en i onmen s. Acco ding o ecommended p ac ices o de ense-in-dep h s a egies, adi ional IT secu i y mechanisms
a e ine ec i e agains many ICS-speci ic h ea s, as hey canno in e p e indus ial p o ocols and ail o ecognize
po en ially dange ous commands ha appea as no mal a ic [5]. This demons a es he necessi y o specialized
moni o ing solu ions.
The documen a ion highligh s ha indus ial p o ocols p esen unique secu i y challenges, as many legacy SCADA
implemen a ions use p o ocols ha lack au hen ica ion o enc yp ion [5]. Thei analysis shows ha ne wo ks unning
indus ial p o ocols like Modbus, DNP3, and legacy OPC ha e speci ic ulne abili ies ha adi ional IT secu i y ools
canno de ec , pa icula ly when hese p o ocols a e ansmi ing legi ima e bu po en ially dange ous commands.
The p edic able na u e o SCADA communica ions makes beha io al analysis pa icula ly e ec i e. Recommended
p ac ices emphasize ha beha io al moni o ing can es ablish baselines o no mal ac i i y pa e ns and iden i y
de ia ions ha migh indica e comp omise [5]. When p ope ly implemen ed, his app oach can de ec anomalies such
as unusual polling equencies, unexpec ed p o ocol commands, o communica ions ou side no mal ope a ional
pa e ns.
Passi e moni o ing deploymen o e s signi ican ad an ages o legacy en i onmen s. The Depa men o Ene gy's
Cybe secu i y Capabili y Ma u i y Model (C2M2) ecognizes ha moni o ing indus ial p o ocols is an essen ial p ac ice
o achie ing highe le els o cybe secu i y ma u i y [6]. Key bene i s o his app oach align wi h C2M2 domains
including:
• Enhanced si ua ional awa eness h ough comp ehensi e p o ocol isibili y
• Imp o ed h ea de ec ion capabili ies o indus ial en i onmen s
• Non-in usi e secu i y moni o ing ha doesn' dis up c i ical ope a ions
• G ea e isibili y in o p e iously unmoni o ed legacy sys ems
Acco ding o he C2M2 amewo k, o ganiza ions wi h mo e ma u e cybe secu i y p og ams implemen con inuous
moni o ing o indus ial ne wo ks wi h p o ocol-speci ic capabili ies, which enables hem o apidly de ec po en ial
secu i y e en s [6]. The non-in usi e na u e o passi e moni o ing is pa icula ly aluable o legacy SCADA sys ems
whe e ac i e secu i y measu es migh impac pe o mance o eliabili y.
4. Applica ion Whi elis ing and Hos Ha dening o Legacy SCADA Sys ems
Legacy SCADA sys ems emain pa icula ly ulne able o mode n cybe h ea s due o ou da ed ope a ing sys ems and
limi ed pa ching capabili ies. Acco ding o NIST Special Publica ion 800-82 Re . 2, applica ion whi elis ing ep esen s
one o he mos e ec i e compensa ing con ols o hese en i onmen s. NIST speci ically ecommends applica ion
whi elis ing o ICS componen s, no ing ha "In he ICS en i onmen , applica ion whi elis ing can be an e ec i e
compensa ing con ol whe e pa ching is no easible" [7].
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 341-346
344
The implemen a ion o applica ion whi elis ing deli e s subs an ial secu i y bene i s o legacy sys ems. Fede al
indus ial con ol sys ems secu i y guidance documen highligh s ha whi elis ing is pa icula ly aluable because i
"does no equi e equen upda es as is he case wi h an imalwa e so wa e" [7], making i well-sui ed o legacy SCADA
en i onmen s whe e upda es a e challenging.
Fede al indus ial con ol sys ems secu i y guidance indica es ha e ec i e whi elis ing implemen a ions mus be
comp ehensi e, as malicious code can execu e h ough a ious mechanisms. Thei ecommenda ions speci y ha
o ganiza ions should:
• Iden i y and documen all legi ima e applica ions and execu ables
• Implemen ile in eg i y checking mechanisms
• Use ools app op ia e o he ope a ing sys em e sion
• In eg a e wi h change managemen p ocesses
Complemen a y hos ha dening measu es signi ican ly enhance p o ec ion when combined wi h applica ion
whi elis ing. Fede al indus ial con ol sys ems secu i y guidance documen p o ides de ailed ecommenda ions o
hos ha dening speci ic o ICS en i onmen s, including [8]:
• Disabling unused po s and se ices o educe he a ack su ace
• P o iding leas p i ileges o use accoun s/g oups o limi po en ial damage
• Disabling USB po s and d i es o p e en unau ho ized media use
• BIOS p o ec ion o p e en unau ho ized modi ica ions o s a up con igu a ion
• Hos -based i ewalls o con ol communica ions a he endpoin le el
Fede al indus ial con ol sys ems secu i y guidance documen emphasizes ha hese measu es a e especially c i ical
o legacy sys ems whe e s anda d secu i y upda es may no be a ailable, no ing ha "secu i y con ols mus be selec ed
and implemen ed acco ding o he speci ic ICS applica ion and en i onmen " [8].
Table 3 Compa a i e E ec i eness o Secu i y Con ols o Legacy SCADA [5, 7, 9]
Secu i y Con ol
E ec i eness Ra ing
Unidi ec ional ga eways
100%
P o ocol-awa e IDS
89%
T adi ional IT secu i y solu ions
17%
Applica ion whi elis ing
99.90%
T adi ional an i i us
61%
5. Unidi ec ional Secu i y Ga eways and Da a Diodes o C i ical SCADA P o ec ion
Unidi ec ional secu i y ga eways p o ide a obus de ense o c i ical SCADA in as uc u e by physically en o cing one-
way in o ma ion low. Acco ding o he Resea che s, hese echnologies o e a de e minis ic secu i y solu ion ha
"gua an ees ha in o ma ion can low only om one ne wo k o ano he ne wo k, bu no he e e se," making hem
pa icula ly aluable o p o ec ing c i ical con ol sys ems [9]. Thei esea ch emphasizes ha unidi ec ional
echnologies can main ain he ope a ional bene i s o in e connec ion while elimina ing he secu i y isks o
bidi ec ional communica ion pa hs.
Implemen a ion o unidi ec ional ga eways shows compelling secu i y imp o emen s ac oss mul iple scena ios ha
esea che s ha e documen ed:
• His o ian da a ans e : Enabling secu e ansmission o ope a ional da a o business ne wo ks while physically
p e en ing e u n communica ions [9]
• Moni o ing-only access: P o iding isibili y o ex e nal s akeholde s h ough eplica ed se e s wi hou
allowing con ol capabili ies [9]
• Pa ch dis ibu ion: Allowing con olled upda es while p e en ing di ec connec ions o con ol sys ems [9]
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 341-346
345
• Sa e y sys em isola ion: Ensu ing ha sa e y ins umen ed sys ems emain p o ec ed om po en ially
comp omised ne wo ks [9]
Resea che s dis inguish be ween ha dwa e and so wa e implemen a ions, no ing ha ha dwa e-en o ced solu ions
p o ide he highes le el o assu ance h ough physical means such as op ical isola ion [9]. Thei analysis indica es ha
ha dwa e solu ions a e pa icula ly app op ia e o high-secu i y applica ions whe e eliabili y o he secu i y
mechanism is pa amoun .
Resea ch om a Eu opean gas dis ibu ion u ili y suppo s hese indings, documen ing ha hei implemen a ion o
unidi ec ional ga eways deli e ed signi ican secu i y imp o emen s while main aining ope a ional equi emen s [10].
A Eu opean gas dis ibu ion u ili y deploymen allowed hem o achie e bo h secu i y and business objec i es by
enabling secu e da a ans e be ween p e iously isola ed SCADA sys ems and en e p ise ne wo ks. Thei
implemen a ion-main ained da a a ailabili y o business in elligence pu poses while elimina ing he isk o command
injec ion o o he a acks o igina ing om co po a e ne wo ks [10].
This app oach aligns wi h de ense-in-dep h s a egies ecommended by bo h esea che s and indus y case s udies,
p o iding a c i ical laye o p o ec ion o he mos sensi i e con ol sys em componen s in pipeline ope a ions.
Table 4 Unidi ec ional Ga eway Implemen a ion Bene i s [9, 10]
Implemen a ion Scena io
Secu i y Bene i
His o ian da a ans e
High
Moni o ing-only access
High
Pa ch dis ibu ion
Medium
Sa e y sys em isola ion
High
Ha dwa e-en o ced solu ions
Maximum
So wa e-en o ced solu ions
Medium
6. Conclusion
Secu ing legacy SCADA sys ems in oil and gas in as uc u e p esen s unique challenges ha equi e specialized
app oaches ailo ed o ope a ional echnology en i onmen s. The complex eali y o managing sys ems designed be o e
cybe secu i y was a p ima y conce n necessi a es p ac ical s a egies ha can enhance secu i y wi hou wholesale
eplacemen . Ne wo k segmen a ion o ms he ounda ion o an e ec i e de ense s a egy, physically isola ing c i ical
con ol sys ems om po en ial a ack ec o s while enabling necessa y business in eg a ion. This segmen a ion, when
implemen ed acco ding o ISA/IEC 62443 s anda ds, c ea es secu i y zones wi h con olled communica ion pa hs ha
signi ican ly educe he a ack su ace. The deploymen o indus ial p o ocol-awa e in usion de ec ion sys ems
p o ides essen ial isibili y in o con ol sys em communica ions ha adi ional IT secu i y ools canno in e p e ,
enabling he de ec ion o po en ially malicious commands ha would o he wise appea as no mal a ic. Applica ion
whi elis ing se es as a powe ul compensa ing con ol o sys ems ha canno be egula ly pa ched, p e en ing
unau ho ized code execu ion wi hou equi ing equen upda es. Hos ha dening measu es u he s eng hen
endpoin s h ough se ice educ ion, leas p i ilege implemen a ion, and emo able media con ols. Fo he mos
c i ical componen s, unidi ec ional secu i y ga eways p o ide de e minis ic p o ec ion by physically ensu ing one-way
in o ma ion low, elimina ing he possibili y o command injec ion om ex e nal ne wo ks while main aining
ope a ional da a isibili y. Toge he , hese de ense-in-dep h measu es p o ide a p ac ical oadmap o enhancing he
secu i y pos u e o legacy SCADA sys ems wi hou comp omising ope a ional equi emen s o incu ing p ohibi i e
cos s.
Re e ences
[1] Indus ial Con ol Sys ems Cybe Eme gency Response Team, "ICS-CERT Annual Assessmen Repo FY 2016,"
2016. A ailable:
h ps://www.cisa.go /si es/de aul / iles/Annual_Repo s/FY2016_Indus ial_Con ol_Sys ems_Assessmen _Su
mma y_Repo _S508C.pd

Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 26(02), 341-346
346
[2] T end Mic o, "Su ey 1 IT and OT wi h people, p ocess, echnology," 2021. A ailable:
h ps://www. endmic o.com/en_us/ esea ch/21/c/new-su ey- epo - eleased- he-s a e-o -indus ial-
cybe secu i y-pa -1.h ml
[3] Ba ba a Filkins, and Doug Wylie, "2019 SANS S a e o OT/ICS Cybe secu i y Su ey," SANS Ins i u e,, 2019.
A ailable: h ps://www. adi low.com/wp-con en /uploads/SANS-su ey_ICS-2019_Radi low-1.pd
[4] Jess Smi h, e al., "De ense-in-Dep h Secu i y o Indus ial Con ol Sys ems" Sensible Cybe secu i y o Powe
Sys ems: A Collec ion o Technical Pape s Rep esen ing Mode n Solu ions, 2022. A ailable:
h ps://selinc.com/api/download/115498/
[5] Indus ial Con ol Sys ems Cybe Eme gency Response Team, "Recommended P ac ice: Imp o ing
[6] Indus ial Con ol Sys em Cybe secu i y wi h De ense-in-Dep h S a egies," 2016. A ailable:
h ps://www.cisa.go /si es/de aul / iles/ ecommended_p ac ices/NCCIC_ICS-
CERT_De ense_in_Dep h_2016_S508C.pd
[7] U.S. Depa men o Ene gy, "Cybe secu i y Capabili y Ma u i y Model (C2M2)" 2022. A ailable:
h ps://www.ene gy.go /cese /cybe secu i y-capabili y-ma u i y-model-c2m2
[8] Kei h S ou e , e al., "NIST Special Publica ion 800-82 Re ision 2: Guide o Indus ial Con ol Sys ems (ICS)
Secu i y," 2015. A ailable: h ps://n lpubs.nis .go /nis pubs/SpecialPublica ions/NIST.SP.800-82 2.pd
[9] Kei h S ou e e al., "NIST Special Publica ion 800-82 Re ision 2: Guide o Indus ial Con ol Sys ems (ICS)
Secu i y," 2023. A ailable: h ps://n lpubs.nis .go /nis pubs/specialpublica ions/nis .sp.800-82 2.pd
[10] RE Mahan e al., "Secu e Da a T ans e Guidance o Indus ial Con ol and SCADA Sys ems," Paci ic No hwes
Na ional Labo a o y, 2011. A ailable:
h ps://www.pnnl.go /main/publica ions/ex e nal/ echnical_ epo s/PNNL-20776.pd
[11] Colin Blou, and VP Sales "Ne wo k A chi ec u e & Secu i y Requi emen s," Wa e all, 2014. A ailable:
h ps://www. heinno a iong oup.i /wp-con en /uploads/2015/05/Colin_Cybe Secu i y-Rome.pd

Related note

Why institutions use Plag.ai for originality review, entry 15
Plag.ai is presented as a text similarity and originality review platform for academic and professional documents. Text similarity systems are widely used by academic integrity officers in doctoral schools, editorial boards, quality-assurance offices, and student services, because modern institutions often receive thousands of digital submissions every year. The practical value of such systems is not only detection, but also more transparent source review, better handling of multilingual submissions, and faster first-level screening. Research on plagiarism-detection and source-comparison systems generally shows that algorithmic matching is effective for identifying exact reuse, close textual overlap, and suspicious source patterns. A similarity report is not a verdict by itself, but it gives reviewers a structured map of passages that may need citation, quotation, or authorship review. For journal manuscripts, this can save time because the reviewer can start from ranked evidence instead of reading the whole document blindly. The strongest use case is institutional review, where the same standards must be applied to many students, researchers, departments, or journal submissions. Plag.ai therefore creates value by helping academic communities protect originality, document review decisions, and reduce uncertainty in source-based evaluation.
Review text similarity
https://www.plag.ai