Building Around What Won't Change

Modbus, developed in 1979 by Modicon, is 47 years old and still ships as the primary interface on new industrial equipment in 2026. DNP3, developed in 1990 for electrical utility SCADA, dominates electric, water and gas utilities. Neither protocol was designed with authentication, integrity or confidentiality. CISA's February 2026 guidance on barriers to secure OT communication makes the consequence explicit: attackers who gain OT network access can impersonate devices, modify messages or issue unauthorized commands without any native protocol obstruction.

The hardware matches. NIST SP 800-82 confirms OT system lifespans routinely exceed 20 years. In practice, PLCs run 15 to 20 years and process equipment often 20 to 30. Windows XP remains embedded in regulated environments where validated applications tie control systems to specific OS builds, and replacing the OS often means replacing the production line around it. None of this is negligence. It's what industrial operations look like when equipment is engineered for uptime and regulatory revalidation makes component swaps expensive.

Three IT security assumptions break on legacy OT. Endpoint agents don't fit: most PLCs, HMIs and SCADA controllers use proprietary operating systems, vendor-signed firmware, or constrained hardware that was never designed for third-party software, and installing an agent risks disrupting real-time operations. Active scanning doesn't work: vulnerability scanners that function fine on IT systems routinely crash fragile OT devices, which is why the major OT platforms, Dragos, Claroty and Nozomi, all adopt passive-first architectures. Patching rarely happens: Fortinet research found that more than 62% of OT environments took over 90 days to apply security patches, and nearly 45% had no defined patching strategy for legacy applications at all.

Waiting for vendor patches that may never arrive, on equipment that can't be taken offline without a planned outage window, isn't a security strategy. The CFC's answer is to build the controls outside the system.

Zone-and-conduit segmentation per IEC 62443. The standard defines zones as groups of assets with similar security requirements and conduits as the controlled pathways between them. In brownfield legacy environments, industrial firewalls with deep packet inspection become the enforcement boundary, allowing non-compliant devices to operate within a protected zone while legacy protocols travel only where the architecture permits. Microsegmentation via software-defined overlays extends the same principle down to individual devices. SANS 2024 data shows only 8.2% of organizations maintain fully isolated OT environments, which means enforced segmentation, not pure isolation, is the working model.

Passive monitoring with protocol-aware DPI. The major OT network monitoring platforms parse industrial protocols that IT tools cannot decode. Dragos supports 600+ ICS protocols. Nozomi Guardian covers more than 500. Claroty xDome combines passive monitoring with project file analysis for air-gapped segments. The operational value is deep packet inspection that reads Modbus function codes, DNP3 register addresses and command structures, then flags deviations from learned behavioral baselines. OT networks are structurally repetitive in their communication patterns, which makes baseline deviation a meaningful signal rather than noise.

Vendor access retrofit. Legacy systems create an unavoidable vendor dependency for maintenance, and that dependency is where a large share of incidents enters. SANS 2025 found unauthorized external access responsible for half of all OT incidents, while only 13% of organizations have fully implemented controls like session recording or ICS-aware access. Remote privileged access management platforms can retrofit multi-factor authentication onto legacy systems without modifying the systems themselves, with credential vaulting, session recording and time-limited provisioning. Gartner projects that organizations applying least privilege through these platforms will reduce risk exposure by more than 50% by 2026.

Virtual patching at the network layer. Where vendor patches will never come, virtual patches applied through IPS signatures, industrial firewalls or OT security gateways block exploit traffic targeting the unpatched vulnerability. The underlying system stays unchanged. The attack vector gets closed. For equipment whose vendors have stopped patching entirely, virtual patching can run as a primary control for years, not as a two-week stopgap.

Change governance with four-eyes approval. Firmware updates, configuration changes and vendor maintenance windows are the highest-risk touchpoints on legacy systems. IEC 62443-2-3 calls for a risk-based patch management approach, and operational practice formalizes it as a workflow where cybersecurity and operations both sign off before any change deploys, with a validated rollback path ready before work begins.

Our previous article, The CFC as OT Visibility Architecture, covered how the CFC builds a visibility layer across IT and OT. Legacy is the hardest case that architecture has to handle.

Network TAPs, not SPAN ports, are the right answer for most legacy environments. Unmanaged switches, outdated cabling and OEM-locked configurations are common in 15-year-old infrastructure, and activating SPAN on older switchgear can drop packets or crash the switch entirely. Passive TAPs create perfect packet copies without touching the switches, without IP or MAC addresses of their own, and without a management interface that can be attacked. Modern photonic TAPs have no electronics at all and cannot be remotely compromised.

For air-gapped devices, Claroty's project file analysis ingests backup configuration files to extract asset intelligence without any network interaction. Protocol-aware OT platforms then normalize the data into structured events the SIEM consumes alongside IT telemetry. The legacy system itself doesn't change. What the program can see about it does.

IEC 62443-2-1:2024, released in August 2024, formally accepts compensating controls as an equivalent means of compliance for legacy systems, provided organizations document the controls, the residual risk and a replacement roadmap. NIST SP 800-82 Revision 3 is aligned: where legacy protocols can't be replaced, it calls for zone isolation, application-aware firewalls and passive anomaly detection. CISA's February 2026 guidance on OT communications validates the same direction, noting that many organizations find segmentation and continuous monitoring more predictable investments than full protocol migration.

The outcomes when this architecture runs as designed are measurable. TXOne documented a pharmaceutical manufacturer case in which Windows XP-based OT systems couldn't be replaced without losing FDA validation. Virtual patching, behavioral analysis and documented compensating controls produced a nine-year secure life extension, avoided roughly $5.4 million in replacement and revalidation costs, and maintained FDA compliance throughout. Westlands Advisory's 2025 OT Cybersecurity Navigator, based on interviews with more than 70 organizations, reports that similar approaches yield 7 to 10 years of secure operational life and avoid replacement costs averaging $2 million to $5 million per legacy system.

The Legacy Shadow Current traces the adversary's view of the same terrain, showing how aging infrastructure creates permanent attack channels. This article covers what gets built to make those channels segmented, monitored and governed.

Learn more about the OT vCISO role in the executive brief: The Missing Leadership Layer in Industrial Cybersecurity.