Legacy OT Systems Pose Rising Cybersecurity Risks Amid Digital Transformation

As “Stranger Things” captures global attention with its 1980s nostalgia, a very real lesson emerges for operational technology (OT) environments: clinging to legacy systems can invite serious cybersecurity risks. While the show’s Hawkins Lab conjures monsters from the Upside Down, outdated industrial systems can similarly become gateways for cyber threats in critical infrastructure.

Nation-state actors, including groups like Volt Typhoon, have gained persistent access to essential networks such as telecommunications providers by exploiting common vulnerabilities in legacy devices. These attacks often do not require sophisticated zero-day exploits; standard flaws in industrial networking equipment are sufficient for infiltration.

The challenge stems from the complexity of OT environments, which often span multiple locations and integrate both IT and industrial networks. Legacy control systems—including SCADA platforms, PLCs, and other industrial devices—were typically designed without modern cybersecurity in mind. With the push for digital transformation and IT/OT convergence, many of these systems are now internet-connected, leaving outdated protocols like Modbus and DNP3 exposed to potential attacks.

Security efforts are further complicated by operational priorities. Many industrial systems must remain online to maintain production, which slows patch deployment or makes updates impossible. Some OT environments still rely on decades-old software such as Windows XP, long unsupported and vulnerable to exploitation.

Advanced persistent threats (APTs) such as Volt Typhoon and Salt Typhoon illustrate the dangers of neglecting OT security. These groups exploit known vulnerabilities, establish persistence through legitimate access tools, and modify network configurations to evade detection. CISA recommends organizations prioritize patching critical vulnerabilities, monitor for indicators of compromise, and plan for phased replacement of outdated technology.

Frameworks developed over the past three decades, including the Purdue Enterprise Reference Architecture (PERA) and IEC 62443, offer guidance for protecting industrial systems. These models emphasize patch management, network segmentation, and asset inventory creation—practices critical to defending systems that cannot be fully updated. CISA’s recent 2025 guidance highlights the importance of classifying and monitoring devices, managing insecure protocols, and mitigating weak authentication or insufficient segmentation.

The lesson for organizations is clear: nostalgia for legacy systems must not override security considerations. While wholesale replacement of entrenched OT infrastructure is often impractical, understanding vulnerabilities, maintaining visibility, and following established security frameworks are essential to mitigating risk.