When I first secured a production line, part of the control system was still running on an unpatched Windows XP machine tucked under a lab table — right next to the state-of-the-art GMP manufacturing setup that produced millions in value every day. Everyone knew that the system was a risk, but no one was willing to touch it as long as it “still worked.” That mix of technical debt, operational pressure and regulatory risk makes legacy operational technology (OT) today a time bomb — especially in energy and pharma.
We have modern attackers, but outdated systems
In nearly every OT security assessment I’ve led, I find the same setup: On the IT side, teams talk about zero trust, XDR and AI support in the SOC. On the OT side, they’re wrestling with outdated protocols, unsupported operating systems and “air gaps” that have long been pierced by remote access and integrations. While critical infrastructure regulations and directives now explicitly include OT, the technical reality in many plants is still stuck in the 2000s.
Many facilities still use legacy operating systems like Windows XP or Windows 7, often without ongoing support and thus without regular security updates.
OT protocols like Modbus or older versions of Profinet were never designed for authentication or encryption, yet they’re used across networked infrastructures today.
The convergence of IT and OT — through MES, historian systems, remote maintenance and cloud connections — creates seamless paths for attackers from the office network into the control room.
This isn’t theory: Real incidents like Stuxnet, Triton and the ransomware attack on Colonial Pipeline have vividly shown how IT vulnerabilities can bleed into critical OT processes. These cases have become reference points in the OT security community — not because they’re exotic outliers, but because they expose mechanisms that exist in many OT environments today.
Why everyone knows it’s burning — but nobody pulls the fire alarm
When I talk to OT managers, production leads or plant engineers, I rarely hear, “We didn’t know we had a problem.” Far more often, it’s, “We know it’s critical — but we can’t just shut it down.” This gap between awareness and action is the real risk.
From my experience, there are three core blockers:
Downtime is the ultimate taboo. In a 24/7 production environment, any planned shutdown means real revenue loss. At the same time, demands for availability and delivery reliability are rising — especially in energy and pharma, where interruptions can have societal impacts. In this situation, security becomes something to consider “in the next big retrofit” — a retrofit that often gets postponed for years.
Cultural and language gaps between IT and OT. OT teams are trained on safety in terms of process and plant safety, not cybersecurity. Their priorities are stability, determinism and physical security; abstract discussions about zero-day exploits often feel far removed from daily life on the floor. Conversely, many IT teams underestimate how finely tuned production processes are and how quickly a misplaced scan or aggressive vulnerability check can disrupt a plant.
Budget and responsibility diffusion. In many organizations, it’s unclear who’s strategically responsible for OT security: the CISO, COO, site leadership or engineering? Evolving regulations sharpen this by explicitly holding management accountable and introducing potential liability for inadequate cyber risk management. Yet investment decisions are often still driven by CapEx logic and OEE metrics — security measures that prevent outages only show up indirectly.
In sum, it creates a paradoxical situation: Organizations with the most critical processes often have the least willingness to change their OT landscape — and thus the highest exposure to modern attack patterns.
When legacy OT meets modern attackers
The last few years have shown how attackers have professionalized and oriented toward industrialized, scalable business models — ransomware-as-a-service is the most visible example. At the same time, studies show a significant share of industrial companies have logged cyber incidents on their legacy OT systems in the past 12 months. From my practice, a pattern has emerged that I see repeatedly.
Typically, a modern attack on an OT-heavy organization unfolds in several steps:
Initial access through IT — not OT
Attackers compromise the office network first, often via phishing, unpatched web apps or weak VPN access. The Colonial Pipeline case is textbook: A compromised VPN account without multi-factor authentication was enough to trigger a cascade of events that ended in the precautionary shutdown of a key supply network.
Lateral movement through poorly segmented networks
Once inside the enterprise network, attackers hunt for paths toward OT — often via poorly documented interfaces, historian systems, remote desktop access or transition zones without clear segmentation. Missing zone and conduit architectures per IEC 62443, flat networks and inadequately hardened jump hosts make this step far easier.
Exploitation of outdated systems and a lack of monitoring
In the actual OT environment, attackers encounter a mix of obsolete operating systems, proprietary protocols and low monitoring levels. Many systems aren’t integrated into a central SIEM, and there’s no dedicated OT SOC with playbooks for industrial incidents. That makes it simple to encrypt critical systems or manipulate control logic before anyone spots anomalies in process data.
Business impact far beyond the plant
The immediate effects of an OT incident range from production halts and quality issues to risks for employees and the environment. For critical infrastructures, add regulatory fallout, reputational damage and potential interventions from oversight bodies under relevant regulatory frameworks.
Especially in energy and pharma companies, these scenarios are no longer seen as “black swans” but are factored into business continuity and risk analyses. Yet the structural weakness persists: As long as legacy OT remains untouched at the core, even sophisticated IT security programs are only partially effective.
Energy and pharma: When OT failures become systemic issues
In energy projects, I repeatedly see how technical risks intertwine with geopolitical and regulatory frameworks. Power grids, pipelines and generation plants are not just essential entities under critical infrastructure regulations, but in many countries, part of critical infrastructure with sector-specific security laws.
In energy supply, a compromised control room or manipulated protection system can directly lead to grid instabilities that cascade outward.
In pharmaceutical production, OT incidents threaten not just production stops but also quality and compliance violations, like when batch data, environmental conditions or formulations become unreliable.
Especially in pharma, I often encounter modernized frontends and MES landscapes over a core of old controls, whose validation status is used like a shield against any change. The fear of losing GMP validations leads to outdated systems staying untouched for regulatory reasons — even though the same regulators now view cybersecurity as integral to product and process safety.
For both sectors, OT security is no longer a niche topic but directly tied to business continuity, compliance and — in energy’s case — supply security.
How I help clients defuse the OT time bomb
Over the years, I’ve developed an approach with various organizations that resolves the contradiction between “We can’t afford to go down” and “We can’t afford this status quo anymore.” The key is viewing legacy OT not as a monolithic problem but as a portfolio of risks that can be prioritized and addressed in phases.
In practice, a multi-step process has proven effective for me:
Ruthless inventory — but risk-based
In the first step, I work with OT and IT teams to create transparency: Which assets are truly critical, which systems are outdated, where are the key IT-OT interfaces? Tools for OT asset discovery and passive network analysis help uncover even “forgotten” components without disrupting production. Crucially, we bring in a risk perspective from the start: Not every old controller is automatically the biggest issue — process criticality, exposure and potential impact decide.
Segmentation first — without waiting for the big retrofit
Instead of waiting a decade to replace every legacy component, I collaborate with many clients to first structure the network architecture per IEC 62443 principles. That means defining zones and conduits, installing firewalls and industrial DMZs, consolidating and hardening remote access. Even if legacy systems keep running inside these zones, clear segmentation massively reduces options for lateral movement.
Monitoring that understands OT
Classic IT security tools hit their limits in OT environments if they don’t know protocols, process characteristics and operating modes. That’s why I advocate integrating OT-specific monitoring solutions into an existing SOC or a dedicated OT SOC — with use cases focused on industrial anomalies, like unexpected PLC program changes, unusual communication paths or atypical process values. Only with this visibility can organizations shift from reactive firefighting to proactive detection and containment.
Regulation as leverage — not obstacle
Sector-specific mandates and standards like ISO 27001 or IEC 62443 aren’t burdensome compliance in my view, but a politically and legally backed business case for security. In projects, I translate legal requirements into a roadmap with concrete controls: from risk management and incident response to supply chain security and business continuity planning. This helps management legitimize investments and make priorities transparent — including the message that inaction under evolving regulations is no longer an option.
Stepwise modernization with compensating measures
Not every legacy component can be replaced in the short term. In those cases, I work with compensating controls: hardening the surrounding network, jump hosts with strict access control, protocol gateways, whitelisting and physical security measures. In parallel, we define a realistic renewal path aligned with planned downtimes, retrofit projects and budget cycles — ensuring the next generation of OT systems is set up more securely from the start.
Why now is the time to defuse the OT time bomb
In my view, the moment we’re in today is unique: On one side, pressure is mounting from regulation, insurance markets and real incidents — on the other, there are more technical and organizational tools than ever to systematically reduce OT risks.
Insurers are evaluating industrial cyber risks more granularly and tying terms to proven resilience measures.
Regulators demand not just security controls but demonstrable risk management and clear accountability at the management level.
Security research and practice have built a wealth of experience since Stuxnet, making attack vectors in critical infrastructures much better understood.
For you as a decision-maker in energy or pharma, this means: The OT time bomb under your plant isn’t fate but a design challenge. The question isn’t whether legacy OT poses a risk — the question is whether you’re ready to make it a top priority and initiate the necessary steps before the next incident forces your hand.
If you’re internally debating how to align OT security, compliance and existing production realities, that’s exactly the tension point where I start in engagements — often with a focused, site-specific assessment and a roadmap integrating technical, organizational and regulatory aspects.
If your OT environment was breached tomorrow, could you explain to your board why the risk was known — but accepted?
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses