The OT security time bomb: Why legacy industrial systems are the biggest cyber risk nobody wants to fix
Tue Mar 10 2026
Critical Infrastructure
Critical Infrastructure
Healthcare
Manufacturing
Patch Management
Vulnerability
www.csoonline.com
When I first secured a production line, part of the control system was still running on an unpatched Windows XP machine tucked under a lab table — right next to the state-of-the-art GMP manufacturing setup that produced millions in value every day. Everyone knew that the system was a risk, but no one was willing to touch it as long as it “still worked.” That mix of technical debt, operational pressure and regulatory risk makes legacy operational technology (OT) today a time bomb — especially in energy and pharma. We have modern attackers, but outdated systems In nearly every OT security assessment I’ve led, I find the same setup: On the IT side, teams talk about zero trust, XDR and AI suppor...