Guidelines against vulnerabilities in legacy programming languages ​​published

The Politecnico di Milano and Trend Micro have created a guide for developing with legacy programming languages ​​for industrial engineering in industry.

The University of Engineering Sciences Milan (Politecnico di Milano) and the cybersecurity company Trend Micro have examined design weaknesses in older programming languages ​​and worked together to develop guidelines, such as Industry 4.0 developers with legacy programming languages ​​and their sometimes prominent security gaps in the area of ​​operational technologies should deal with.

Secure programming despite legacy code in industry

Operational technology (OT) is operational technology for industrial processes, machines and systems that was originally separated from IT. Industrial technology is also increasingly merging with IT and network technology, which increases the risk of attacks by third parties and the requirements for code security. The guidelines are intended to support OT developers in reducing legacy code-related disruptions in their operations.

According to guidelines, secure programming by process IT specialists, segmenting and securing networks and internally traceable and controllable management of the automation code are the levers on which the manufacturing industry should start. According to the blog entry, the editors worked with the Robotic Operating System Industrial Consortium for their recommendations. Vulnerabilities in the code could apparently allow potential attackers to hijack industrial robots and automatically interrupt machines and production lines or steal intellectual property.

Best practices for OT code and network security

According to the blog entry, companies in the field of industrial automation technology are hardly prepared for such attacks. The policies of the Politecnico di Milano and Trend Micro suggest best practices that help companies increase network security and protect the code of their facilities against outages and attacks.

A number of proprietary programming languages ​​for industrial applications such as RAPID, KRL, AS, PDL2 and PacScript were designed decades ago without the idea of ​​active external attacks. While these languages ​​are fundamental to numerous automation processes, they cannot easily be updated to appropriate security standards today. A major risk for the industry is apparently self-spreading malware that could use these legacy programming languages.

For the developers entrusted with it, it may be a tricky task to reduce the vulnerabilities resulting from existing security gaps in older operating technology and to create applications that are as safe as possible despite existing design errors. The software backbone of industrial automation apparently depends largely on legacy technologies that have latent weaknesses in their architecture. As soon as OT systems are connected via a network, it becomes difficult to carry out repairs and updates, explains Bill Malik, Trend Micro’s vice president of infrastructure strategies.

About the editors

The Politecnico di Milano (POLIMI) is the largest technical university in Italy and Milan’s oldest university, founded in 1863. It is currently in the top 20 in the ranking of technical universities worldwide. The POLIMI has a research department for Industry 4.0 (Industry 4.0 Lab). Trend Micro is a company that has its roots in the creation of anti-virus software (since 1988) and the protection of IT systems. It mainly offers instructions for the creation, programming, checking and ongoing maintenance of industrial systems as well as tools for scanning and blocking of potentially vulnerable or malicious code.