All About ICS - Industrial Control Systems

Stop Calling your proven DCS System Obsolete – think again!

Written by Petr Roupec | Mar 20, 2026 12:13:44 PM

Cybersecurity: Why isolation of proven system work

Is the replacement and upgrade of the system only solution how to treat information security risks? Why would you replace stable and proven system with “something” new which require constant patching, constant upgrades with build-in obsolescense with new set of errors, vulnerabilities which in uneconomical and costly. According to the ISO 27k, not all risks require new systems or constant patching. One accepted and strategic method of treatment is risk avoidance — and that’s exactly what we do. By isolating the control systems from external exposure, using proven methods such as data diodes and physical segmentation, we remove the attack surface entirely. This approach is compliant, stable, and doesn’t introduce new vulnerabilities — unlike forced upgrades, which often create more cybersecurity issues than they solve. Even your money moves through systems still (year 2026) running on COBOL and Windows XP — because isolation works better than unnecessary change.

ISO 27k – 4.5.4 Treating information security risks

So let’s analyze what standard such as ISO 27k are saying

Risks can be accepted if, for example, it is assessed that the risk is low or that the cost of treatment is not cost-effective for the organization. Such decisions should be recorded.

This is exactly what the upgrades are doing – they are very, very costly without bringing anything of value to the organization.

a) applying appropriate controls to reduce the risks;

Here we apply network monitoring to detect im-possible intrusion with latest tools on the market,

  • Implement proper controls such as backup, test and restore procedures to avoid risks such as lengthy recovery of failed equipment
  • Education and Knowledge recovery to know how to
  • Documentation update to have up-to-date information about the asset

c) avoiding risks by not allowing actions that would cause the risks to occur;

By isolating the control systems from external exposure, using proven methods such as data diodes and physical segmentation, the attack surface is entirely removed. This approach is compliant, stable, and doesn’t introduce new vulnerabilities — unlike forced upgrades, which often create more cybersecurity issues than they solve.

To keep control systems practically useable data needs to be available so data diode is a practical solution to transfer data from the system while adding zero vulnerabilities – thus isolation of control system is total.

Does upgrade solve cybersecurity risks?

The answer is nor at all!

Upgrade to new system introduce whole new set of the risks not existing in your current control system such as:

  • Planned obsolesce every few years
  • Vicious cycle of endless upgrades due to endless OS updates
  • Whole range on unknown new vulnerabilities
  • Huge dependency on OEM due to lack of knowledge
  • Unknown licensing structure for the future (see vmware)
  • Cloud dependency introduces single point of failure
  • Lost control over important asset such a logic diagrams
  • Lost control over process data as these goes to cloud and literally owned by the OEM

There is no need to follow nonsense OEM roadmaps – there is no need to compete on price – there is a need to find rational and economically sustainable way, shifting clients away from forced CAPEX cycles toward a more predictable OPEX model aligned with operational continuity.
View full post