Guides

Protect PLCs and legacy systems from cyber ​​attacks

Learn how to protect legacy PLCs and Windows XP systems from cyberattacks in industrial environments.

Protect PLCs from cyber ​​attacks

5 August 2025

Table of contents

  • Legacy devices: the weakest link in critical infrastructure
  • Main threats to legacy systems
  • Defensive strategy: segmentation and isolation
  • Continuous monitoring and intrusion detection
  • Securing Windows XP and legacy HMIs
  • Virtual patching and industrial proxy solutions
  • Application whitelisting
  • Training and legacy device usage policies
  • Secure migration roadmap

In many industrial companies, obsolete systems such as Windows XP, older Siemens S7 PLCs, and legacy HMIs remain at the core of production lines. While they ensure continuity of operations, they also expose the infrastructure to severe cyber security risks.

This article provides a technical guide on how to protect legacy PLCs and outdated devices from cyberattacks, with practical strategies tailored for professionals in industrial cyber security.

Legacy devices: the weakest link in critical infrastructure

Legacy systems like Windows XP, Windows 7, Siemens S7-300/400 PLCs, or unsupported HMI software are still widely used in SCADA and ICS environments. These devices:

  • no longer receive security updates,
  • operate with unencrypted protocols (e.g., Modbus, Profibus),
  • rely on discontinued software platforms,
  • are costly and complex to replace.

Hackers can exploit these vulnerabilities to disrupt operations, steal sensitive data, or even sabotage machinery.

Practical example
An industrial plant using a Siemens S7-300 PLC connected to an HMI running Windows XP SP2 is exposed to attacks such as Stuxnet or Industroyer, which can abuse unauthenticated S7Comm traffic to inject malicious commands into the PLC.

Main threats to legacy systems

Outdated devices are vulnerable to multiple attack vectors:

  • Unauthorized access
    Due to weak or no authentication.
  • Ransomware
    Windows XP is highly exposed to EternalBlue (used in WannaCry).
  • Man-in-the-middle attacks
    On unsegmented, unencrypted Ethernet networks.
  • Malicious scripting via HMI
    Tampering with SCADA software commands.
  • Firmware hijacking
    Many older CPUs accept unsigned firmware updates.

Defensive strategy: segmentation and isolation

A key principle in OT cyber security is to isolate legacy systems from IT and external networks.

1. Network segmentation (with VLANs and industrial firewalls)

  • Place PLCs and HMIs in a dedicated OT network.
  • Use Layer 3-4 firewalls with strict rules between IT and OT.

2. Air-gapping and industrial DMZs

  • Where possible, fully isolate unsupported devices.
  • Deploy a demilitarized zone (DMZ) to filter traffic between IT and OT.

Example network design

Internet

   |

Firewall (UTM)

   |

IT Network -- Industrial DMZ (proxy + AV) -- OT Firewall -- OT Network (PLCs, HMIs)

Continuous monitoring and intrusion detection

Since legacy systems often can’t be patched, real-time monitoring is critical:

  • Deploy ICS-friendly IDS/IPS tools (Snort, Suricata, Nozomi Networks, Claroty).
  • Generate alerts for anomalies or unauthorized firmware changes.
  • Analyze device access logs (if available).

Many Siemens S7 PLCs support diagnostic tools such as S7-Online to monitor PLC status and identify any suspicious commands.

monitor PLC status

Securing Windows XP and legacy HMIs

1. Remove unnecessary services

Disable SMBv1, Telnet, NetBIOS, Remote Desktop, and other exposed services.

2. Block unknown executables

Implement AppLocker (if available) or similar solutions to block unauthorized code execution.

3. Emergency patches and workarounds

Microsoft released a few emergency patches (e.g., for WannaCry). If patching is impossible, use virtual patching through modern firewalls.

Virtual patching and industrial proxy solutions

When devices can’t be upgraded, use:

  • Virtual patching
    Network-based filtering that blocks known exploits.
  • Industrial proxies
    Inline devices that inspect and sanitize communications.

Example
An OT gateway can decode S7Comm traffic, enforce protocol compliance, and reject suspicious commands.

Application whitelisting

On Windows-based HMIs, use application whitelisting to limit execution only to approved software:

Allowed: C:\Program Files\Siemens\WinCC\*.exe

Blocked: C:\Users\Temp\*.exe

This approach is critical where HMIs are exposed to USB devices or non-technical operators.

Logging and offline backups

Legacy systems should be complemented with:

  • Local and remote logging (e.g., Syslog output to central SIEM).
  • Offline backups of PLC/HMI project files, tested regularly.
  • Strict control over removable media (e.g., USB whitelisting).

Training and legacy device usage policies

Plant operators must be trained to:

  • Recognize phishing and social engineering attempts.
  • Avoid using unauthorized USBs.
  • Not modify network settings or install software.

Companies should adopt formal legacy device management policies, including decommissioning plans.

Secure migration roadmap

Running legacy systems securely is feasible—but long-term security demands migration:

  • Build an accurate asset inventory with firmware/software versions.
  • Perform risk assessments based on likelihood and impact.
  • Define mitigation measures (e.g., proxy, firewall, monitoring).
  • Plan gradual replacement of high-risk components.

To conclude…

Legacy systems such as Windows XP and older Siemens S7 PLCs are a significant risk for industrial cyber security, but multi-layered defense strategies can mitigate that risk. While modernization is the future, today’s priority is securing what can’t yet be replaced—through isolation, monitoring, and proactive defense.

Questions and answers

  1. Are Siemens S7-300 PLCs still secure?
    Not by today’s standards. They must be isolated and monitored with firewalls and IDS.
  2. How can I secure Windows XP in a plant?
    Apply network isolation, disable legacy services, and use application whitelisting.
  3. What is virtual patching?
    A network-based technique that blocks known exploits without altering the vulnerable system.
  4. Can ransomware affect PLCs?
    Indirectly. It can attack HMI/SCADA systems, disabling the control layer.
  5. Can I update a Siemens S7-300 PLC?
    Some firmware updates exist, but replacement is usually the safer path.
  6. Which firewalls are best for OT networks?
    Use industrial-grade firewalls with ICS protocol support (e.g., S7Comm, OPC).
  7. Must legacy systems be replaced?
    Eventually yes, but meanwhile, compensating controls can mitigate the risk.
  8. Are there antivirus solutions for SCADA?
    Yes, vendors like Kaspersky and Fortinet offer SCADA-specific AV tools.
  9. Is it safe to use VPNs for PLC remote access?
    Yes, but only with strong authentication (certificates, MFA) and careful configuration.
  10. How can I identify legacy devices on the network?
    Use automated asset inventory tools, passive scans, and OT asset managers.
5
To top