It’s good to have reliable tech that performs for years, isn’t it? In OT environments especially, things are built to last. 

But what was installed 30 years ago might not be up to the challenges of the here and now. In 1996, the internet was still in its diapers, and AI was mostly sci-fi. Now, for more than a decade, the internet has been enabling better efficiencies by cracking open the formerly immaculately siloed OT landscape. This is especially true where legacy systems face capital pressures and where we can locate the convergent OT/IT future. 

It’s no longer strictly about production; it’s about better visibility, remote control, and above all, data. But wherever systems are connected, exposure follows. Simply, it takes significant effort to secure an environment but only a single weak point to compromise it.

Key points of this article:

  • Your factory may run like clockwork, but the legacy OT behind it is quietly accumulating risks that today’s threat landscape may easily exploit.
  • What once were isolated, purpose‑built industrial systems are now being connected for efficiency’s sake—unknowingly opening doors that cybercriminals can walk right through.
  • A simple upgrade meant to enable remote management can instead act as a bridge for attackers, turning a formerly safe factory floor into a vulnerable digital surface.
  • Replacing OT systems is unrealistic for most factories due to associated costs in capital and time. However, downtime from an OT-connected incident doesn’t just disrupt production; it jeopardizes contracts, triggers fines, and can seriously damage brand trust.
  • As IT rapidly evolves and OT moves at a glacial pace, the real challenge isn’t innovation but securing two worlds that were originally not designed to meet.
  • ESET PRIVATE steps in where traditional security stops, offering long‑term, OT‑focused protection designed to keep legacy systems safe without forcing disruptive upgrades.

Why legacy OT systems create cybersecurity risk in manufacturing

Productivity gains are a cybersecurity risk. Yes, really.

Let’s say you have an automotive parts manufacturer using legacy OT (mainly PLC-controlled machinery) that was installed 20-30 years ago. While those machines are still reliably running, their control systems are anything but modern. Over time, the executive board might ask, for efficiency’s sake, to improve on-site monitoring, so project managers gradually connect the factory floor to the corporate IT network—which is where the trouble begins.

Historically, OT networks were purpose-built, designed-for-industry protocols and were effectively protected via “security through obscurity” and air-gapped separation from other business networks. In other words, you had your factory floor but also the administrative offices as separate units with walk-in monitoring.

One day, the company introduces a modern remote desktop protocol (RDP) solution to enable remote management. In other words, the administrator doesn’t have to travel to observe the factory floor anymore; they can do it digitally from the comfort of their office chair. Moreover, they might want more than just the internal admin to have access, enabling subcontractors from abroad to connect as well. 

But while they might leverage RDP via modern devices, the tech on the floor that’s worked consistently for more than 15 years (meaning PLCs, HMIs, SCADA systems) isn’t anywhere near ready to be remotely exposed. 

IT professionals are, of course, dutiful about their tasks. They keep devices secure so they don’t get compromised. But a compromise is a matter of when, not if. RDP is one of the most common threat vectors for potential attacks due to its many vulnerabilities, or more specifically, missing security controls. 

For example, SMBv1, a companion protocol to RDP, which enables it to access files, printers, and other network resources (dating back to the 1990s) was widely exposed by the EternalBlue exploit, enabling the global WannaCryptor ransomware attacks

While the concern may be the factory floor, a breach and subsequent disruption may just follow the path of least resistance. A single spearphishing email or one malicious link or PDF, and voila, your whole operation is down due to ransomware or, worse, a data wiper. The result of shutting down production remains a strong possibility.

The ability of threat actors to penetrate OT networks has become easier with the use of network protocols built on top of publicly documented internet protocols, vulnerable human-machine interfaces, and other computing devices that run consumer operating systems, all heightened by the encroachment of industrial IoT devices at production plants, where even air-gapping could be undermined.

“Oh well, IT can stop it.” Or can they? With OT, engineers must physically visit the machines, which takes time and skill. Meanwhile, production is halted, disrupting delivery. What’s worse, in highly controlled industries, known vulnerabilities could enable such attacks easily just because every single upgrade requires a new set of certifications1 to continue operations.

And therein lies a conundrum: OT and industrial control systems (ICS) are tough to replace and even harder to upgrade. Many OT environments rely on obsolete hardware (reportedly at least 62% of U.S. companies), unsupported operating systems (like Windows 7), and insecure protocols that were never designed with cybersecurity in mind. In some cases, like Industroyer, which disabled parts of the Ukrainian power grid in 2016, bad actors with nation-state backing can and do turn these protocols against their own masters.

Meanwhile, the likelihood of regulatory fines rises by the minute, and the PR department is also praying with all its might for a resolution before the story hits partner and customer news feeds.

Is there an easy way out? At that point, no—the doors would be closed. Redundancies must be built preemptively; otherwise, you’re caught off guard.

Why the aversion to replacing legacy OT systems?

Manufacturing companies with long-running production lines, such as automobile and component makers, medical device manufacturers, or even highly specialized computer chip fabs, must maintain the continuity of their operations to satisfy their contracts.

Hence, any disruption related to OT upgrades is just another minus in their pre-budgeted earnings plan due to replacement costs and missing production. There’s a reason why mobile device manufacturers, for example, rarely if ever change their CPU suppliers. It takes a lot more R&D, risk, and both in-house and external knowledge, not to mention potentially starting from scratch when you already have a stable production pipeline. So facilities tend to let their legacy OTs be. As long as it works, right?

Schema of a typical operational technology environment
Image 1. A typical OT environment

These slowly evolving, tightly controlled environments demand long life cycles. But in the world of IT, one which is now pushing ever more deeply into OT territory, there’s no such thing as stagnation. 

What’s more, if you look through a software lens, the fact is that code (including malware) evolves faster than hardware does. The same goes for firmware, which is hardware specific and has been in use for decades. In such environments, applying patches might not be feasible due to incompatibility or the disappearance of external vendors, ultimately leaving systems exposed until the next shutdown. Or forever.

The business impact of unmanaged legacy OT risk

We asked ESET’s Head of Corporate Solutions NORAM, Andrea Doyle, to weigh in on this topic. She has years of experience working with clients running complex infrastructure: “Legacy systems aren't the problem, unmanaged risk is. Most manufacturers can't simply rip and replace decades of operational technology. The real danger isn't the age, it's operating critical systems without a security architecture designed for long lifecycles and limited patchability.”

Updates for firmware are scarce and rather difficult. But perhaps there’s an approach that could bridge the gap between legacy infrastructure and modern security needs?

“Organizations don't need to replace all systems to reduce cyber risk, they need a strategy that secures what must keep running. Unsupported systems don't just elevate cyber exposure; they amplify business risk. In OT, downtime costs far more than incident remediation. Security strategy has to align with operational reality, not disrupt it,” Doyle added.

Therefore, for manufacturers, perhaps it’s not about innovation, really. If we are to assume that production facilities must keep running, predictability is more valuable than anything else. Operators need to plan ahead. Which is where achieving resilience also comes into play.

“CISO's in manufacturing, energy, defense and healthcare must evaluate if their legacy systems are still supported. If they aren't, the answer isn't abandonment, it's long-lifecycle security support designed specifically for OT environments,” Doyle said.

How to secure legacy OT environments without disrupting production

Assumptions need to be reevaluated. On-premise, long-life, and legacy systems will not disappear. They will coexist with modern platforms for decades. The real challenge is not choosing between old and new but securing the entire IT and OT ecosystem consistently and realistically.

Therefore, not only do manufacturing companies require malware protection on endpoints that must perform reliably under their unique and high-security conditions to keep every single device safe, but their security solution also needs to ensure long-term support with minimal impact on their software and hardware infrastructure over an extended period.

“This is exactly where lifecycle-driven security models such as ESET PRIVATE Industrial Security are designed to operate,” commented Andrea Doyle.

ESET PRIVATE for long-term OT and legacy system security

As Doyle suggested, ESET has an answer. ESET PRIVATE Industrial Security delivers security solutions custom built for OT environments, including ESET Lifecycle Solutions purposefully designed with different time frames in mind:

  • Standard Solution and Support (3 years):
    Designed for IT environments that have no limitations in updating their devices. Customers have access to the latest versions of the operating system and ESET solutions, ensuring the highest level of protection and compatibility.
  • Long-Term Support (7-10 years):
    Intended for customers in OT or other critical environments who need a stable version of ESET security solutions over an extended time frame. This ensures predictable, long-term security without frequent version changes, supporting business continuity in sensitive or regulated environments.
  • Legacy Support (10+ years, tailored to customer timelines):
    Intended for customers who need to operate legacy devices, operating systems, or use ESET solutions that reach end of life and cannot be upgraded due to technical, operational, regulatory, or business constraints.

ESET’s Legacy Support includes security provisions for outdated operating systems like Windows XP SP3, Windows 7, Windows Server 2008, and many more. When disruption-free long-term operation is in question, support has to maintain its pace and respect its legacy.

Legacy Support focuses on risk mitigation rather than full feature parity. ESET PRIVATE Industrial Security provides security coverage for selected legacy platforms through controlled product versions, signature updates, and tailored security configurations. The goal is to reduce exposure to known threats and extend safe operation of critical legacy assets.

ESET Lifecycle Solutions layers
Image 2. ESET Lifecycle Solutions overview

What long-term OT security support delivers for manufacturers

Remember, the goal is to cover gaps due to missing updates, an approach best implemented on premises to ensure heightened reliability and more predictable timelines. ESET PRIVATE’s highly experienced DevOps teams are dedicated to long-cycle solutions, continuously working on identifying and mitigating weaknesses in legacy solutions and enabling early detection of risks across an entire installation base. This improves preparedness and response in case of a critical incident. 

ESET delivers comprehensive cybersecurity technologies in both IT and OT environments, which are fully on-premise deployments, with an on-premise platform that is continuously enhanced and further developed, offering protection spanning modern industrial systems to decades-old legacy platforms.

ESET PRIVATE Industrial Security’s OT designs respect the operational, safety, and availability constraints of its unique customers. Our industry-agnostic technologies are applicable across manufacturing, energy, utilities, transportation, and other critical sectors, delivered directly or in OEM technologies.

Legacy Support also includes assistance with configuration and deployment, as well as recommendations for compensating security controls (end-to-end solutions). As for operation, we offer a dedicated update infrastructure ensuring the controlled delivery of updates across several years, with a predictable cost model and a dedicated SLA manager for hands-on contact.

For OT, ESET PRIVATE also provides cybersecurity advisory, tailored solution design, development, and implementation, as well as managed services, including SOC as a Service for human-led monitoring.

Bridging legacy OT and modern security requirements

In OT environments, things are built to last, so support must go hand in hand to make sure that they will. The modern threat landscape is incongruent with the business continuity needs of critical industries such as manufacturing, for which long-term planning is a constant working in support of evolving bad actors looking to subvert it.

So what gives? Are legacy OT users destined for a life sentence of persistent vulnerabilities? Is the gap between legacy and modern requirements insurmountable? Thankfully, no. Bridging them, however, requires a life-cycle-focused approach, closing the gaps with bespoke security designed with long-term objectives in mind. 

Contact us to learn about modern security solutions designed specifically for OT and industrial systems: https://www.eset.com/us/business/corporate-solutions/#contact-us

ESET PRIVATE Blog Banner 2

Additional references
1) For example, the UK’s Supply of Machinery (Safety) Regulations 2008 apply to changes concerning the assembly of machines, so following any major reconfigurations, full assessments of conformity with the rule must be conducted.