The Legacy Shadow Current

Windows XP is nearly 25 years old. Microsoft ended mainstream support in April 2009, but continued issuing security patches until April 2014. And yet, it's still running in operational technology environments across manufacturing facilities, power plants and critical infrastructure worldwide. According to the National Institute of Standards and Technology, OT system lifespans can exceed 20 years, creating infrastructure arteries that predate modern security assumptions and flow with decades of accumulated vulnerabilities.

In our previous article, we explored how detection goes dark at the IT-OT boundary, creating blind spots where shadow currents accelerate unobserved. But detection blind spots at boundaries are just the beginning. Legacy systems are blind spots everywhere, scattered throughout your infrastructure like subterranean channels that monitoring tools never reach.

Legacy systems aren't outliers hiding in forgotten corners of industrial facilities. A 2025 survey by TXOne Networks of 550 OT decision-makers found that 50% of respondents confirmed at least half of their OT environments still rely on legacy systems. Even more concerning, 20% revealed that more than 75% of their infrastructure depends on legacy equipment.

The numbers get worse when you look at specific vulnerabilities. Trend Micro research shows that 4.4% of users in the manufacturing industry still rely on Windows XP, significantly higher than the 2.5% rate in other industries. For context, manufacturing has been the most-targeted industry for cyberattacks globally for four consecutive years, accounting for 26% of all documented incidents within critical sectors according to IBM's 2025 X-Force Threat Intelligence Index.

The consequences are measurable. That same TXOne survey found that 43% of respondents experienced cyber incidents on their legacy OT systems within the past year.

Every security professional has heard the refrain: "We'll upgrade it during the next maintenance window." But these permanent channels keep flowing year after year.

The economics tell the story. ITIC's 2024 survey found that over 90% of large and mid-size enterprises report that a single hour of downtime costs upwards of $300,000 on average, with 40% saying it exceeds $1 million per hour. When you're looking at systems that can cost anywhere from $10,000 for small installations to millions for complex SCADA deployments, the decision to defer becomes financially rational, even if it's strategically dangerous.

TXOne's research reveals that compatibility issues are the top barrier to upgrading, cited by 54% of organizations. The reality is straightforward: replacing one component can trigger a cascade of incompatibilities across an entire production line. It's like trying to redirect a river without understanding the entire watershed. Change one element and the shadow current finds new paths you didn't anticipate, potentially flooding systems that were previously dry.

The result? An alarming 85% of organizations don't conduct regular patching on their OT systems, according to TXOne Networks. Nearly 60% only apply patches during planned downtime windows, which in high-efficiency environments may come only once or twice a year. Meanwhile, 37% of OT security incidents involved exploitation of software vulnerabilities.

Even organizations committed to securing their legacy systems face fundamental technical barriers. As ISACA notes, patching OT systems can disrupt code and damage the devices themselves. Many legacy devices simply lack the memory or application support for modern patches.

The underlying protocols make the situation worse. Modbus, one of the most widely deployed industrial protocols, was designed in 1979 for serial communication between controllers. According to peer-reviewed research published in the National Institutes of Health database, Modbus lacks encryption, authentication and authorization functions. It allows exploitation by malicious software or unauthorized users because it can easily be intercepted and altered through man-in-the-middle attacks.

DNP3, another common protocol in utilities and energy, has similar fundamental security gaps. While a secure version called Modbus/TCP Security was released in 2018 with TLS encryption, adoption remains slow. The new protocol operates on a different port entirely, requiring infrastructure changes that circle back to the same compatibility and downtime concerns that prevent hardware upgrades.

Network segmentation, often recommended as a compensating control, proves difficult to implement. Remember those air gaps that turned out to be bridges? Legacy systems often have undocumented connections that predate current network diagrams. They may require remote vendor access for maintenance, or have serial-to-Ethernet converters added years ago that nobody remembers installing. The shadow current finds these channels because they've been flowing through them for decades.

Rick Biedenweg of Pacific Partners Consulting Group quantifies what many industrial operators already suspect: every dollar of maintenance deferred to a later date results in $4 of capital renewal. The longer organizations wait to address legacy systems, the more expensive and complex the solution becomes. Meanwhile, the shadow current carves its channels deeper.

A Ponemon Institute survey found that 62% of organizations were unaware their systems were vulnerable before being breached due to known, patchable weaknesses. When security blind spots persist for years or decades, attackers have ample time to map networks, identify vulnerable systems and position themselves for maximum impact. The shadow current doesn't announce itself; it flows silently through infrastructure arteries until something catastrophic forces you to notice.

Like geological formations that create permanent underground water channels, decades-old industrial control systems create persistent pathways through your network. Attackers don't need to find new routes; they can follow the deep channels that have always been there. These are channels that predate modern security architectures, flow beneath newer defensive layers and carry attack traffic that looks identical to legitimate operational commands.

Legacy systems aren't going anywhere. The "upgrade it next year" excuse is now a decade old. These systems are permanent shadow current channels. You can't eliminate them, but you can monitor them, segment around them and control what flows through them.

This requires acknowledging that the deferral cycle needs to end. Organizations that indefinitely postpone legacy modernization are compounding both financial and security debt. Even if wholesale replacement isn't feasible in the short term, developing a multi-year modernization roadmap with clear milestones and budget allocations transforms legacy from a permanent liability into a managed transition.

In the meantime, compensating controls become essential. If patching isn't possible, enhanced monitoring of protocol anomalies becomes critical. If network segmentation is difficult, then deeper inspection of legacy protocol traffic matters more. If systems can't be hardened, then the networks around them must be. The goal isn't to stop the flow entirely; it's to understand where these permanent channels lead and detect when attackers are using them.

Legacy systems are permanent shadow current channels you own. But there's another category of persistent paths you don't fully control: third-party access. Vendors, contractors and service providers all create shadow currents that flow directly to your critical systems, and you may not even know they exist.