Governing Legacy OT Risk

That gap is where the OT vCISO's work on legacy begins, and it shows up at industrial scale. TXOne Networks' 2025 survey of 550 European OT decision-makers found that half of respondents confirmed at least 50% of their OT environments depend on legacy systems. Twenty percent reported more than 75% legacy dependence. And 43% had experienced a cyber incident targeting those legacy systems in the preceding year.

This article is Part 6 in The Leadership Layer series. The previous article addressed making visibility a funded strategic priority. When visibility is funded, the legacy inventory becomes knowable rather than inferred, and what it reveals is a governance problem that no amount of detection capability resolves on its own.

Replacing OT systems is a question of capital cycles, operational dependencies and physics, not of security willpower. Programmable logic controllers built 20 or 30 years ago still run reliably because they were engineered for stability, and control systems optimized for uptime don't accept the downtime windows that IT patching assumes. In TXOne's data, 54% of organizations cite compatibility as the top barrier to upgrading and 45% cite cost. In highly regulated industries, every component change can trigger recertification that halts production for months.

The result is what plant managers have heard for decades: "We'll upgrade it next year." Next year becomes five years, then a decade, while the risk compounds quietly. CISA's 2026 guidance on OT communications acknowledges this directly, pointing to "persistent barriers tied to cost, complexity, and legacy design of industrial protocols." For the OT vCISO, that persistence is the starting condition for governance, not evidence of negligence.

Legacy OT systems resist purely technical treatment. Many can't run modern endpoint agents, authenticate with modern methods or be monitored without specialized passive tools. Industrial protocols like Modbus TCP and DNP3 without Secure Authentication carry no native integrity or confidentiality controls, which means anyone with network access can read process data and inject commands. Where patching, encryption and full monitoring are off the table, risk has to be managed through policy, architecture and documentation, which makes it a governance problem by default.

The risk profile compounds over time. Analysis cited by HeroDevs in 2025 found that end-of-life software images accumulate an average of 218 new vulnerabilities every six months after support ends, and roughly 46% of CISA's Known Exploited Vulnerabilities catalog is linked to end-of-service software. In the industrial sector specifically, research by aDolus Technology and Microsoft found that around 60% of installed PLCs run outdated firmware for which patches had been available for more than a decade, often carrying eight or more known CVEs each. One in four penetration tests in industrial environments finds default credentials still in use.

Visibility into this risk is its own problem. An analysis by Forescout and the ICS Advisory Project, reported by Infosecurity Magazine in February 2026, found that only 22% of ICS vulnerabilities disclosed in 2025 had an associated CISA advisory, down from 58% the year before. Sixty-one percent of those without advisories were rated high or critical severity. Organizations can't rely on external advisories alone to tell them when their legacy systems are exposed, and if nobody inside the organization is funded to close that gap, it doesn't get closed.

A common assumption inside industrial organizations is that once a system can no longer meet modern security controls, industry standards require its replacement. That assumption misreads what the standards say. IEC 62443-2-1:2024, released in August 2024, acknowledges that industrial automation and control system lifespans can exceed 20 years and formally accepts compensating controls, not just native technical capabilities, as equivalent means of achieving compliance. NIST SP 800-82 Revision 3 is equally clear: where legacy protocols can't be replaced, the framework calls for compensating network controls including strict zone isolation, application-aware firewalls and passive anomaly detection.

Between them, those standards settle the acceptability question. What remains for any organization is whether it has documented the compensating controls it relies on, assigned accountability for them, and built them into a governance cadence rather than leaving them as tribal knowledge.

The framework has consistent components across mature programs. Asset inventory with criticality classification establishes what exists and what matters most. A risk-ranked backlog prioritizes by exploitability, criticality and exposure rather than by age alone. Zone-and-conduit architecture per IEC 62443 segments legacy systems into defensible enclaves. Compensating controls get deployed and documented: passive OT-protocol-aware monitoring, jump servers with multi-factor authentication, application whitelisting where feasible, virtual patching where vendor patches are unavailable, and the elimination of default and shared credentials. Formal risk acceptance records with executive signatures and expiry dates convert informal tolerance into auditable governance. And a replacement roadmap aligned with capital cycles and planned outage windows gives the program direction.

Engineering can implement the controls, but executive authority is what formally accepts residual risk, negotiates with OEM vendors on support terms, allocates budget between legacy protection and modernization, and holds cross-functional stakeholders accountable to the roadmap over time.

Board decisions run on operational and financial exposure, not CVE counts. A legacy OT program earns sustained funding only when the OT vCISO can translate the first into the second in language the board can act on.

For legacy OT, that translation runs through five anchors: downtime cost, safety and environmental exposure, regulatory liability, recovery time, and cyber insurance implications as insurers tie coverage to demonstrated OT resilience.

Regulation has sharpened the argument considerably. Under the EU's NIS2 directive, effective October 2024, executives can face fines and temporary bans from management roles for cybersecurity failures in essential entities. NERC CIP violations in the U.S. energy sector now carry inflation-adjusted penalties of approximately $1.54 million per day, and the standards explicitly apply regardless of network topology, which means legacy systems are not exempt. The evidence of due diligence regulators want is exactly what the vCISO's documentation is designed to produce.

TXOne Networks documented a pharmaceutical manufacturer case in its 2025 "Beyond Replacement" research where Windows XP-based OT systems couldn't be replaced without losing FDA validation. Through virtual patching, behavioral analysis and documented compensating controls, the organization achieved a nine-year secure life extension, avoided roughly $5.4 million in replacement and revalidation costs, and maintained FDA compliance throughout. When modernization has to wait for a capital cycle or recertification, the wait itself can be managed rather than merely endured.

The Shadow Current series shows how legacy systems create permanent attack path channels through industrial infrastructure; the governance framework described here is its defender-side counterpart. The Fusion Center Blueprint series covers the technical architecture that makes compensating controls operational, and the Proving the Program series tests whether claimed legacy controls hold up under real adversarial pressure.

Industrial environments will always contain systems aging faster than capital cycles can retire them, which means "all legacy replaced" was never the realistic destination. The aim is a state where legacy risk is known, documented, controlled and on a roadmap, with someone in executive authority accountable for keeping it that way.

The Leadership Layer is a 12-part series examining how the OT vCISO builds cyber-resilient industrial organizations. The OT vCISO Discovery Session is PhishCloud's strategic engagement for organizations identifying their OT security leadership gaps. Schedule an OT vCISO Discovery Session. Learn more in the executive brief: The Missing Leadership Layer in Industrial Cybersecurity.