How Legacy Systems Raise Your Business Risk
HuFiCon Management Memo:
Journey with the CISO
A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.
The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration.
Inge van der Beijl
Director Innovation
The Sword Of Damocles In Cyber Security
This article is part of a three-part series on legacy system risks and how to mitigate them. It’s based on Hansje’s academic thesis, “Shadow of the Past”, which examined legacy risks for universities beyond conventional mitigation strategies, developed as part of a cyber security masterclass program at Antwerp Management School. You can read the research article in a Springer volume, published 24 May 2026.
The “Sword of Damocles” symbolises a constant threat or an impending disaster that can strike at any moment. This is what legacy systems could be for your organisation. While new developments in AI and quantum computing are getting a lot of attention right now in cyber security, deeply-embedded legacy systems can be quietly raising your risk.
Northwave encounters legacy systems all the time, both in Information Technology (IT) and Operational Technology (OT) environments, at our clients and when our CERT team is called to an organisation to handle a crisis originating from a legacy system. Too often, organisations aren’t aware of how many legacy systems they still rely on, or how exposed these systems have become over time. In this first blog of our three-part series, we dive into what legacy systems are and the specific risks they pose for organisations.
What Does Legacy Mean in OT and IT?
A system is legacy when it can no longer effectively support current software, lacks necessary updates, or is no longer compatible with newer systems but is still in use within an organisation. This can be any old system, whether it is an old server, IP-camera, a dam, or a 30-year-old milk packaging machine. When systems do not receive regular updates or support anymore, it can lead to security vulnerabilities, continuity and/or availability issues or operational inefficiency.
In addition to the term ‘legacy’, you may also hear about End-of-Life (EoL) and End-of-Support (EoS). Legacy systems, end-of-life (EoL), and end-of-support (EoS) are related but not the same.
-
End-of-Life (EOL) refers to the date when a vendor stops selling or developing a product. The software or hardware may still function at this point, but it won't receive any new features, security upgrades, or performance enhancements. In some cases, there is extended support, but this is meant to provide time for a safe migration.
-
End of Support (EOS) indicates that all technical assistance and security updates for a product have ceased. After this point, the software may still function, but it becomes increasingly vulnerable to security threats due to the lack of ongoing support and updates.
In short, a legacy system is simply an older system that is still in use, while EoL means the product is no longer being developed or updated. EoS means the vendor no longer provides support, maintenance, or patches. A legacy system can also be EoL or EoS, but it does not have to be.
From a security perspective, legacy, end-of-life, and end-of-support systems are risky because they no longer receive regular updates and patches. Systems with known vulnerabilities become attractive targets for attackers. These systems may also rely on outdated protocols or weak authentication, which can increase the chance of data breaches or ransomware attacks. In addition, using unsupported software can create compliance issues and weaken overall security.
Key Differences Between Legacy Systems in IT and OT Environments
Understanding the differences between legacy systems in IT and OT environments is crucial, because the same outdated technology can create very different risks depending on whether it affects data, uptime, or even physical safety. A one-size-fits-all approach can leave organisations exposed where it matters most.
Operational Priorities
-
IT Environments: Focus on managing data, ensuring data security, and maintaining operational efficiency. Regular updates are essential to protect against cyber threats and improve functionality.
-
OT Environments: Prioritise stability and safety of physical processes. Legacy systems often rely on older technology, making frequent updates risky as they could disrupt critical operations.
Technology and Infrastructure
-
IT Systems: Typically use modern technologies and are designed for flexibility, allowing for regular patches and updates to enhance performance and security. Security approaches include end-point security, zero-trust, and patching.
-
OT Systems: Often consist of older infrastructure that is less adaptable. The emphasis is on maintaining continuous operation of machinery and processes, which can lead to a reluctance to implement updates. Security approaches include segmentation, monitoring, and minimal disruption.
Risk Management
-
IT Risks: Primarily involve data breaches, financial loss, and reputational damage. The focus is on protecting sensitive information.
-
OT Risks: Include production loss or downtime, potential equipment damage and or, safety incidents. The consequences of a failure in OT systems can be severe, affecting not just the organisation but also public safety.
Legacy in IT and OT security mainly increases exposure because older systems are harder to patch, harder to monitor, and easier to attack. In OT, the impact is often worse because security fixes can disrupt production or safety-critical processes. Additionally, OT is often linked to IT and, looking at the totality of your network, it is only as strong as your weakest component.
Main Risks in Legacy IT and OT Systems
Now that you understand the difference between IT and OT legacy systems, it’s important to recognise the specific isks they introduce. Both environments share common vulnerabilities, but their impact can differ significantly depending on context. The table below outlines the main risks associated with legacy IT and OT systems and why they matter.
|
Vulnerability |
The risk and what it means |
Why it matters in IT/OT |
|
Unsupported software and hardware |
Systems reach end-of-life and no longer get patches or vendor support. Examples: unpatched Windows versions,” “unsupported PLC firmware,” or “limited logging in older control environments,” |
Known vulnerabilities stay open, especially dangerous in both enterprise IT and industrial control systems. |
|
Weak or missing security controls |
Older environments may lack encryption, strong authentication, MFA, or secure protocols. |
Attackers can intercept traffic or gain unauthorised access more easily. |
|
Limited visibility and logging |
Legacy systems often provide poor logs, monitoring, or telemetry. |
Security teams may not detect intrusions quickly, increasing dwell time and damage. |
|
Incompatibility with modern tools |
Older platforms may not work well with EDR, SIEM, segmentation, or identity tools. |
This reduces the effectiveness of detection and response in mixed IT/OT environments. |
|
Lateral movement risk |
Flat networks and weak segmentation let attackers move from one system to another. |
A compromise in one legacy node can spread across IT or into OT operations. |
|
Compliance gaps |
Legacy systems may not support current security and audit requirements. |
This can lead to failed audits, fines, or inability to meet standards like NIS2, NIST, or sector rules. |
|
Higher downtime risk |
Patching, replacement, or compensating controls can be hard to apply without outages. |
In OT, this can interrupt production. In IT, this can delay remediation. |
|
Greater operational impact |
Legacy OT often supports critical physical processes. |
A cyber incident can become a safety, reliability, or business-continuity event, not just a data issue. |
|
Lack of expertise |
Knowledge about older systems disappears with older employees, this way maintenance is more difficult |
In both IT and OT. |
Added Risk in OT
OT legacy systems are especially risky because they were often built for reliability and long lifecycles, not security-by-design, as is default in the recent years and a requirement of the new Cyber Resilience Act (CRA). That means outdated protocols, weak segmentation, and limited patching are common, while downtime for upgrades is costly and sometimes unacceptable. In practice, this makes legacy OT a tempting target for ransomware, malware, and unauthorised access. In the next blog in this series, we discuss some examples of how legacy systems are exploited in OT and IT.
The Real Problems with Old Tech
Despite the risks associated with legacy systems, many organisations continue to use them. Common reasons we hear are:
- the cost and complexity of migrating to a new system
- difficulty training employees to use a new system
- “why fix something if it is not broken?”
And yet, when organisations hang on to these outdated systems, the biggest issue is not just “old technology,” but the combination of unpatched vulnerabilities, weak visibility, and difficult modernisation. These vulnerabilities are exploited even faster in the age of AI, making the need for patching or phasing out unsupported systems even more important. In IT, this usually raises breach and compliance risk; in OT it can also affect uptime, safety, and physical operations.
Keep following this blog series for insights from real incidents our CERT has encountered in the legacy landscape with examples in OT companies. Further, we will explain a governance method that helps organisations approach legacy in a structured way, making it easier to prioritise risks, compare systems consistently, and decide where to invest first, instead of reacting to legacy issues only when something breaks.
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.