How to Protect Legacy Operational Technology from Cyber Risk
June 18, 2026
By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity
Executive Summary
Operational technology runs the physical side of your business. The press, the conveyor, the temperature controller, the valve that opens at 6 a.m. every day. Much of it was installed before network-borne attacks were a thing. And a lot of it's still running today. That's the problem. According to the SANS Institute, nearly 60% of attacks on operational technology start inside the corporate IT environment, which means the equipment you've trusted for years is reachable via the same network you use for email. This post explains what legacy OT is, why it's exposed, what the current threat data shows, and the steps you can take to protect production without halting it.
What Is Operational Technology?
The Cybersecurity and Infrastructure Security Agency, known as CISA, defines operational technology, or OT, as programmable systems or devices that interact with the physical environment, or manage devices that interact with the physical environment. That includes industrial control systems, supervisory control and data acquisition systems known as SCADA, programmable logic controllers known as PLCs, building management systems, and physical access control mechanisms. If a computer is telling a motor when to spin or a valve when to open, that's OT.
Legacy OT refers to the equipment that's been running the same physical process for years, often a decade or more, on hardware and operating systems that predate modern security expectations. Industrial protocols designed in the 1990s didn't include authentication, encryption, or meaningful logging. They didn't need to. The machines were isolated. Then Industry 4.0 connected them to enterprise networks, and the assumption that "nothing untrusted could reach them" stopped being true.
What the Data Shows
The SANS Institute's 2025 ICS/OT Cybersecurity Survey found 22% of organizations in essential industries reported a cybersecurity incident in the prior year. Of those incidents, 40% caused operational disruption, and nearly 20% took more than a month to remediate. That's a month of degraded production, missed shipments, and contract penalties for businesses that operate on just-in-time delivery commitments.
The Jaguar Land Rover attack disclosed in 2025 is now widely described as the most damaging cyberattack in British history, with reported recovery costs and downstream supplier impacts running into the billions. One production line going dark pulled dozens of suppliers down with it. If you're a tier-two or tier-three manufacturer serving a defense prime or a Detroit Three automaker, that's the scenario your customer is now asking about in their vendor security questionnaires.
Free Download
AI Business Tips E-Book
When implemented incorrectly, any technology with access to sensitive data can create security risks. Because AI systems rely on large volumes of proprietary data, companies must prioritize security from the outset when evaluating AI implementation or selecting AI solutions. When used responsibly and securely, AI can streamline operations, help solve critical business challenges, and build client trust. Understanding real examples and their impact can help you make informed decisions about adopting AI.
Why Is Legacy OT Harder to Secure Than IT?
In a manufacturing plant built around uptime, taking a running line down to patch a controller is a hard sell. The equipment is embedded in the physical process. The vendor may have ended support years ago. The operating system underneath may be Windows XP or Windows 7. There may be no agent that can run on it without affecting performance. Cybersecurity agencies have a name for this condition: self-established obsolescence. The longer the equipment runs without intervention, the harder intervention becomes.
Ransomware operators understand this calculation. Some now develop dedicated OT capabilities. Others don't need to. Infiltrating enterprise IT and letting the dependencies do the rest is often enough to halt a plant, because the business systems that schedule production, manage inventory, and authenticate operators are connected to the OT network through interfaces never designed with adversaries in mind.
"Manufacturers tell us their legacy equipment is the heart of the operation. That's exactly why it deserves a security strategy built around it, not bolted on after an incident. You don't have to halt the line to start protecting it. You have to start by knowing what's on it."
Rich Miller, CEO, STACK Cybersecurity
Five Facts
- Nearly 60% of OT attacks originate in the corporate IT environment, according to the SANS Institute's 2025 ICS/OT Cybersecurity Survey.
- In the prior 12 months, 22% of organizations in essential industries reported a cybersecurity incident, per the same SANS survey.
- Forty percent of those reported incidents caused operational disruption, and nearly 20% took more than a month to remediate.
- NIS2, the European Union directive that took full effect in 2024, now imposes stricter cybersecurity requirements on critical industries including manufacturing, with penalties for non-compliance reaching €10 million or 2% of global annual turnover.
- For military contractors and their suppliers, Cybersecurity Maturity Model Certification, known as CMMC, requires demonstrable security controls across both IT and OT environments that handle controlled unclassified information (CUI).
How STACK Protects Legacy OT Systems
Most manufacturers and industrial businesses can't simply replace aging equipment because a vendor stopped supporting it. Production lines, industrial control systems, and specialized machinery often remain in service for years after operating systems and software reach end of life. The challenge is finding a way to reduce cyber risk without disrupting production.
STACK helps businesses build layers of protection around operational technology environments using a combination of asset visibility, network segmentation, monitoring, access control, and recovery planning. The goal is to reduce risk while keeping production moving.
OT Asset Discovery and Risk Assessments
You can't secure systems you don't know exist. We begin by identifying OT assets, mapping network connections, documenting unsupported platforms, and evaluating how production systems interact with the rest of your environment. Many shops discover forgotten devices, undocumented remote access paths, and systems that haven't been reviewed in years.
Network Segmentation
One of the most effective ways to reduce OT cyber risk is separating production systems from business systems. If a phishing attack compromises an employee workstation, that shouldn't provide a direct path to industrial control systems. STACK helps design and implement segmentation strategies that make lateral movement significantly more difficult.
24/7 Monitoring and Threat Detection
Most cyber incidents begin in the IT environment before spreading to operational systems. Through network monitoring, log collection, and managed extended detection and response (MXDR) services, STACK helps identify suspicious activity before it impacts production. Visibility between IT and OT environments is often the difference between a contained incident and a plant-wide outage.
Secure Remote Access
Remote access is frequently one of the largest OT security risks. Vendors, engineers, contractors, and employees often require access to production systems from outside the facility. STACK helps secure these connections, which reduces unnecessary exposure.
Recovery Planning and Tabletop Exercises
A backup alone doesn't guarantee recovery. We help businesses develop recovery plans, test assumptions, document dependencies, and conduct tabletop exercises so leadership understands how an incident would be handled before one occurs.
Not Sure Where Your OT Risks Are?
A Cybersecurity Risk Assessment can help identify unsupported systems, insecure remote access, weak segmentation, recovery gaps, and other risks that commonly affect operational technology environments.
Inventory, Identify, Improve, Evaluate
If you're responsible for manufacturing operations, engineering systems, or industrial technology, these are the four most valuable steps you can take.
- Build an OT asset inventory. Document PLCs, HMIs, SCADA servers, engineering workstations, historians, firmware versions, support status, and network connectivity.
- Review IT-to-OT connectivity. Identify every firewall, VPN, jump host, remote access tool, and system that bridges production and business networks.
- Improve segmentation and monitoring. Limit unnecessary communication paths and increase visibility into traffic crossing IT and OT boundaries.
- Evaluate unsupported systems. Create a roadmap for systems running end-of-life operating systems, unsupported firmware, or aging industrial control platforms.
Frequently Asked Questions (FAQs)
What is operational technology (OT)?
Operational technology (OT) includes the systems, devices, and software that monitor or control physical processes. Examples include industrial control systems (ICS), SCADA systems, programmable logic controllers (PLCs), manufacturing equipment, building management systems, and connected production environments.
What is the difference between IT and OT security?
IT security focuses on protecting data, users, applications, and business systems. OT security focuses on protecting physical operations, industrial equipment, uptime, and safety. While the two environments are increasingly connected, OT systems often have unique security challenges because downtime can directly affect production and operations.
Why are legacy OT systems difficult to secure?
Many legacy OT systems were designed long before today's cybersecurity threats emerged. They may run unsupported operating systems, rely on industrial protocols that lack modern security controls, or support critical production processes that cannot easily be taken offline for upgrades or patching.
Can legacy OT equipment be protected without replacing it?
Often, yes. Businesses commonly improve security through network segmentation, multifactor authentication, access controls, monitoring, asset inventories, secure remote access, documented recovery procedures, and compensating controls that reduce risk without disrupting operations.
How does ransomware affect operational technology?
Ransomware often starts in the IT environment but can disrupt production by affecting identity systems, engineering workstations, file servers, remote access tools, scheduling systems, or connected OT assets. Even if production equipment is not directly encrypted, supporting systems may be impacted.
What should manufacturers do first to improve OT security?
Start by identifying what is connected. Build an inventory of OT assets, map connections between IT and OT environments, review remote access pathways, and verify backup and recovery procedures. Visibility is often the first and most important step toward reducing risk.
Does CMMC apply to operational technology systems?
It can. If operational technology systems store, process, transmit, or connect to environments containing Controlled Unclassified Information (CUI), they may become relevant during CMMC scoping and compliance reviews. Manufacturers supporting the defense industrial base should carefully evaluate how OT systems interact with their CUI environment.
Work with STACK
If you're not sure whether your current controls, workflows, and employee training are enough, contact STACK Cybersecurity to have their expert team manage your information technology and cybersecurity needs. STACK is a security-forward IT managed service provider (MSP), based in Livonia, Mich.