Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Supporting Digital Transformation with Legacy Components

Digital transformation concept. Binary code. Programming. Quantum computer.
Credit: iStock/metamorworks

“Information is the oil of the 21st century, and analytics is the combustion engine.”
– Peter Sondergaard, Senior Vice President, Gartner Research

Digital transformation (DX) promises increased competitiveness, optimized processes and profitability through big data, along with improved employee and customer relations. Gathering data is essential in the 21st century data-oriented environment and requires flexible, interconnected components. Businesses will need people with the specialized skills to implement and optimize all of this. Beyond that, each firm will have to work with its unique DX plans and existing IT environment.

Legacy Components Can Limit DX Efforts

DX efforts are typically divided into three phases: digitization (transitioning from analog to digital data), digitalization (processing and analyzing digital data), and digital transformation (building on digitalization to optimize the business).

The first phase, digitization, can be impacted by dependence on legacy components, particularly within industrial control system (ICS) environments. The need to digitize information to move forward with DX efforts can create numerous challenges between IT and operational technology (OT) assets. For example:

  • Organizations may not be able to find individuals with the expertise to maintain or modify legacy system components.
  • Integration with cloud services and other systems may be difficult with legacy components that don’t support the latest communication technologies like Transport Layer Security (TLS) version 1.3 or Simple Message Block (SMB) version 3.
  • Deploying smart devices, also referred to as the Internet of Things (IOT) or Industrial Internet of Things (IIOT), may be limited by legacy network segmentation (e.g. the Purdue Model of Computer Integrated Manufacturing shown in Figure 1) to isolate ICS components from the corporate environment and internet to reduce the risks posed by viruses and malicious actors.

The Reality of DX With Legacy Systems

Figure 1: Purdue Model of Computer Integrated Manufacturing
Figure 1: Purdue Model of Computer Integrated Manufacturing

Why isn’t everyone upgrading all their devices to realize the benefits of DX? Many reasons. It’s hard to find practical guidance for planning and making DX decisions. Also, financial resources and the personnel to support upgraded components may be lacking. Within ICS environments, it’s difficult validating the safety of upgraded devices, so another barrier is matching the level of trust people have for legacy components.

Trying to meet a firm’s DX priorities using legacy components can result in hybrid implementations that impact safety, availability and cybersecurity. For example, creating a bridged or multi-homed system that connects legacy components to the data collection infrastructures or cloud services might solve connectivity and data sharing issues (see Figure 2). However, this may negate the protections established by the network isolation and communication controls for protecting the legacy components.

Figure 2: Purdue Model Showing a Bridged/Dual-Homed System
Figure 2: Purdue Model Showing a Bridged/Dual-Homed System

Connecting legacy components to support DX data collection without impacting operational capabilities or safety requires careful planning. In some cases, a hybrid approach might work where devices send data to on-premises systems that reside in levels 2 and 3 of the Purdue Model, for example a data historian or edge system.

This can allow access to approved data streams without connecting directly to sensitive OT components or networks. Overall, finding the safest method to achieve DX goals while also protecting people, processes and technology is not easy and requires a collaborative effort between the IT and OT staff members.

Cybersecurity Considerations for DX

Changes to the environment must consider both cybersecurity and DX objectives to minimize organizational risks. NIST SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy provides guidance for establishing a risk management approach for organizations. A key aspect is having a cybersecurity program. One misconception I often hear is that cybersecurity is an IT issue or that it is a technology issue. While we would like this to be true, the reality is that cybersecurity spans the entire organization. The NIST Framework for Improving Critical Infrastructure Cybersecurity and the NISTIR 8183 Rev. 1, Cybersecurity Framework Version 1.1 Manufacturing Profile, are guides that can assist organizations with approaching the challenges or defining and implementing a cybersecurity program in a methodical and consistent way. With a cybersecurity and risk management program in place, organizations can evaluate changes to the environment to verify that they meet their DX goals while also minimizing the cybersecurity risks. While there will always risk, the key is for organizations to find the balance that minimizes risks while also achieving the organizational, regulatory and cybersecurity requirements.

As previously mentioned, legacy components can add complexity to implementing DX and cybersecurity. Careful planning and testing whenever possible is strongly recommended. Building on the NISTIR 8183, NIST also published the Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guide to provide a more quantitative approach to determining the performance impact on ICS environments when implementing common cybersecurity controls based on the guidance and recommendations in NIST SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security.

The MEP National Network™ Can Help You Plan and Implement DX

More interconnections supporting rapid and accurate data gathering are needed to achieve DX objectives and each company’s approach will depend on the types of legacy components within the environment. While upgrading legacy components would be ideal, the reality is that many firms need to support DX with their existing technology. When planning, organizations should carefully balance how to integrate with their existing processes and devices while also protecting their people, data and devices.

Implementing DX can be a daunting task, but is manageable with careful planning, collaboration among company IT and OT staff and the use of valuable resources such as NIST publications and the MEP National Network.

The MEP National Network can help companies find the right balance through strategic planning and offer guidance for DX investments. Contact your state’s MEP Center for more information on services offered across the country and in Puerto Rico.

About the author

Michael Pease

Michael Pease joined the Engineering Lab at the National Institute of Standards and Technology (NIST) in 2018 with more than 25 years of experience in both the public and private sector supporting information technology (IT), Cybersecurity, and maintaining cybersecurity programs for IT and operational technology (OT) environments. Michael is currently focused on cybersecurity for industrial control systems (ICS) and their operating environments as a member of the Cybersecurity for Smart Manufacturing Systems Project. Working collaboratively with the NIST Computer Security Division (CSD), the National Cybersecurity Center of Excellence (NCCoE), and the Manufacturing Extension Partnership (MEP), Michael supports developing specific guidance on the application of NIST security standards and guidelines to ICS environments.

Michael has a Bachelor of Science in Mechanical Engineering from the University of Maryland, College Park and hold certifications from both ISACA and (ISC)2 including Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), and Certified Risk and Information Systems Control (CRISC). Additionally, Michael is a Certified Java Programmer and is proficient in multiple technologies including JavaScript, .Net, Python, and C/C++ in addition to SQL and non-SQL databases.

Related posts

Making it Happen in a Man’s World

With a career of more than 40 years in the manufacturing industry, I can look back now and see that I was greatly influenced by my father, who worked for an


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.