Why Legacy Is Every Red Team's Favorite OT Finding

Legacy OT systems are not unmanaged because teams are careless. They are constrained by uptime, safety, and long equipment lifecycles. Industrial Cyber's ICS hardening coverage notes patches require controlled testing before deployment in OT environments. Acronis's 2026 OT/ICS guidance reports lifespans often exceed 20 to 30 years, which is why older operating systems still appear in production HMI environments.

TXOne's 2025 survey of 550 industrial decision-makers found that 50% of OT environments are primarily legacy and 20% are over three-quarters legacy. TXOne's 2024 report also found 85% of organizations do not patch OT regularly. IBM X-Force reported 670 OT-impacting vulnerabilities disclosed in H1 2025, with nearly half rated Critical or High, and 21% of Critical vulnerabilities with public exploit code.

From an adversary perspective, this is exactly why the legacy shadow current remains persistent. Red Teams document the constraint, then test how far it can be leveraged in your actual environment.

ESET's reverse engineering analysis of Industroyer concluded the malware communicated through industrial protocols designed decades ago without security in mind. Modbus, introduced in 1979, includes no native authentication, encryption, or integrity checking in standard implementations. Legacy DNP3 configurations carry similar trust assumptions.

Red Team OT penetration testing approaches against these protocols are straightforward: ARP spoofing, command replay, and in-path manipulation where protocol trust is implicit. Dragos documented this pattern in the January 2024 FrostyGoop incident at a Lviv district heating utility, where Modbus TCP over port 502 was used to manipulate heating controllers. More than 600 apartment buildings lost heat for two days in sub-zero temperatures.

According to Dragos, roughly 46,000 internet-exposed ICS devices globally speak Modbus. A March 2026 OT penetration testing methodology also reported passive reconnaissance alone can expose 80% of vulnerabilities in many OT environments. Legacy visibility gaps and protocol trust reveal themselves before active exploitation begins.

Default and hardcoded credential exposure remains one of the most persistent findings in OT. Public resources like SecLists catalog extensive default credentials across major industrial vendors. Dragos's 8th Annual Year in Review reported 65% of assessed sites had insecure remote access conditions, including default credentials, exposed RDP, and weak VPN hygiene.

Claroty Team82 research on Siemens S7-1200 and S7-1500 controllers found hardcoded global cryptographic keys, tracked as CVE-2022-38465. Team82's Evil PLC research further showed compromised PLCs can be used as pivot points into engineering workstations. IBM X-Force's 2026 Threat Intelligence Index echoes the same governance outcome: in Red Team testing, misconfigured access controls were the most common entry point.

In CISA AA24-326A, the Red Team reached OT HMI systems through an IT-origin attack chain that included a forgotten web shell, exposed credentials on a misconfigured share, certificate abuse against unconstrained delegation, and domain-level privilege escalation before moving into OT. CISA also documented leadership deprioritizing a known vulnerability flagged by internal security teams.

This sequence reflects broader incident data. Dragos found roughly 70% of OT-related incidents originated from IT environments. Colonial Pipeline remains the reference case where legacy remote access paths no longer needed by operations still accepted connections.

This connects directly to Article 5 and its visibility gap thesis. You can extend controls around legacy assets, but you cannot always deploy modern controls inside them.

The Red Team's value is not that it finds legacy. It is that it maps your specific legacy pathways to operational consequence. That precision enables leadership decisions on compensating-control investment rather than generic backlog management.

Insurance-grade analysis cited by Dragos and Marsh McLennan indicates Defensible Architecture can reduce organizational cyber risk by about 17%, while Secure Remote Access contributes another 12%. Dragos's 2026 Year in Review also found 26% of OT advisories offered no patch, and 18% offered neither patch nor mitigation, requiring alternative controls. Its Now/Next/Never prioritization split, 6% immediate, 63% compensating or scheduled, 31% no action, frames compensating controls as the primary treatment path for legacy risk.

Zero Networks reported only 2% of manufacturing security leaders microsegment their networks. That quantifies a high-impact, low-adoption control gap that Red Teams can demonstrate and leadership can directly fund.

Legacy is difficult to replace because of capital constraints and operational disruption. Red Teams, however, repeatedly identify another reliable OT entry path that often requires no exploitation at all: vendor access granted intentionally but governed inconsistently.

Learn more about the OT vCISO role in the executive brief: The Missing Leadership Layer in Industrial Cybersecurity.