The persistence of decades-old technology in industrial settings is a fact of life. Operational technology (OT) environments in factories, power plants and critical infrastructure facilities are studded with industrial PCs running operating systems that the corporate IT world retired years ago. Windows XP, Linux 2.x and similar legacy OSs — out of respect for their longevity and service, let’s call them “vintage” systems – still live on as platforms for SCADA, ICS, HMI and DCS more than 20 years after they were first launched.
While one can admire their workhorse longevity and stability, these legacy systems also present some challenges in a fast-evolving regulatory and cyberthreat environment. They stand out in even starker contrast as the comparatively chaotic world of traditional IT begins impinging on OT operations in the wake of initiatives like Industry 4.0.
The stubborn value of vintage OT systems
Industrial engineering veterans understand and appreciate the persistence of OT systems running versions of Windows that Microsoft end of lifed back when the movie Interstellar was released —11 years ago! That kind of longevity is baffling to a corporate IT professional who oversees the churn of laptops and desktops every three to five years. It’s practically beyond their imagination to consider OT technology like a PLC with a working life expectancy of 20 to 30 years. “How do you continue to support a fossil that hasn’t had a security patch since the days of the Ice Bucket Challenge?” they might ask.
The answer, of course, is that the stakes are far higher in the OT world if an update goes awry. It might be awkward for Fred from Accounting to go without his laptop for a few hours because his Windows update fails, but it’s probably not going to lead to the million-dollar production halt that could happen if that same update breaks the manufacturing execution system (MES). Stability in OT environments is justly prized, so resistance to change is a sound business practice.
But loss of functionality or uptime isn’t the only potential consequence of updating a vintage OT system. In many regulated industries, OS upgrades may trigger required retesting of every downstream automation sequence to ensure that the process has preserved compliance. In sectors like transportation, energy and pharma, installing even a minor software patch can necessitate a costly, time-consuming requalification exercise. If your automation vendor has stopped supporting your vintage platform (or gone out of business entirely,) you have no choice but to maintain the software status quo until the entire system reaches its end of life.
But the “If it ain’t broke, don’t fix it” approach carries its own risks. The Stuxnet breach taught us that air-gapping doesn’t close every attack vector into a production facility, so any OT system that hasn’t been patched since the mid-2010s carries a nontrivial risk of exposure to ransomware or other attacks. And we all know that the days of shutting out external network connections completely are fading in the light of the cost and productivity advantages of wireless industrial IoT devices, cloud-based analytics, and the desires of corporate IT to monitor and control production environments.
How corporate IT views vintage OT systems
Walking in the corporate IT professional’s shoes for a minute, it’s not hard to understand why they blanch at the sight of an engineering workstation running Windows 7. In their world, every PC is regularly patched and updated by Microsoft, has its sensitive data protected with strong encryption, runs endpoint security like anti-ransomware and EDR, and is monitored and maintained by remote IT and security staffers. Such a machine, likely installed after the COVID pandemic, is much easier to keep within company security and compliance policies.
Those are worthy goals for someone that doesn’t have to preserve OT hardware, drivers, and timing characteristics that were first tested, certified and deployed when the kids were driving us crazy with the soundtrack to Frozen. Migrating those systems to newer, more easily-secured and remotely managed hardware and OSs could adversely affect communication with field OT components or alter deterministic behaviors that are critical to plant operations. That’s before anyone factors in the cost of scheduling production downtime and then retesting and revalidating the entire process. From the plant manager’s perspective, the benefits the corporate CISO sees in upgrading vintage OT systems carry the potential for an outage that could end someone’s career in the field.
There’s a middle ground between these competing missions that can help assuage some of corporate IT leadership’s security and compliance concerns while also supporting plant management’s imperative to minimize production downtime. The answer lies in preserving the stability of vintage OT systems while hardening and isolating them as much as possible from the evils of the outside world. There are pragmatic ways to minimize attack surfaces while protecting the integrity and stability of vintage OT systems and the production processes they oversee.
Effecting security for unpatchable vintage OT
From corporate IT’s perspective, the problem with vintage OT systems is that they are riddled with vulnerabilities discovered in the years since they were first deployed. Further, the flow of security patches from the vendor to close these gaps stopped long ago with the vendor’s end of support. Cybercriminals are constantly scanning for these unpatched systems, ready to instantly pounce with ready-made exploits that AI tools have made even simpler to create. So how do we secure unpatchable vintage OT systems without putting production uptime at risk, at a moment when air gaps are being crossed with network connections to support Industry 4.0 projects? As with any modern cybersecurity challenge, the response must be layered and prioritized according to risk:
- Segment your networks. Purdue Model adherents will be well familiar with the concept of creating zones and conduits to limit the flow of potentially malicious traffic. Strict firewall rules are essential to protect vintage OT systems from malware incursions via connections to corporate IT and external cloud services.
- Harden access controls and use least privilege principles in the OT environment. The use of jump servers, multifactor authentication and tight credential management are essential to limit all but necessary and authorized access to vulnerable vintage OT systems.
- Use application control software to enforce allowlists for known legitimate executables.
- Harden vintage OT systems by disabling unused services and locking down USB ports and external media drives.
- Monitor OT network traffic for anomalous behavior with the help of sensors and passive network monitoring. By establishing a baseline of normal traffic, you can identify and generate alerts on traffic anomalies that may be indicators of compromise.
- Invest in robust backup and recovery processes and technology. Find a backup vendor that still supports vintage OSs, observe best practices like the 3-2-1 rule on backup media diversity and location, and create immutable backups to defend against malicious backup encryption. Test your recovery procedures regularly to ensure backup integrity and your ability to meet recovery time and recovery point objectives (RTOs). Look for backup solutions that can be installed and managed without scheduled downtime or adverse performance impact on protected systems. Favor systems that offer self-service recovery, i.e., that enable recovery of failed OT systems by plant-level employees without IT’s help.
- Practice good governance for change management. Embrace the discipline necessary to document configuration changes, installed patches and network adjustments to vintage OT systems. Establish a golden image to which the system can be restored to a known good state if subsequent changes cause performance or functionality issues.
Preserving vintage OT with acceptable cyber risk
The fact that we are still talking about PC-based OT components that were introduced in the early days of the 21st century is an amazing reflection on the durability of industrial engineering. But cybercriminals have noticed that industrial businesses still rely heavily on vintage OT and are subject to staggering downtime costs. This explains why these sectors became favorite targets for ransomware and other attacks in 2025. Amidst this criminal onslaught, charting a middle course between stability and security is a fraught endeavor. But it is possible to honor and extend the reliability of vintage OT systems while addressing modern cyber risk. To do so, successful OT leaders will have to wield a combination of defense-in-depth measures, proper governance procedures, and backup and recovery processes and systems optimized for production environments.
Acronis Cyber Protect is the leading white-labeled, cobranded or reference-sold solution for OT system backup and recovery. Learn how Acronis Cyber Protect for OT can help you build resilience for legacy OT systems.
About Acronis
A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 21,000 service providers to protect over 750,000 businesses.
