When Old Tech Bites Back: Legacy Problems No One Wants to Touch
I recently watched a crime movie in which the protagonists had to ditch their spyware-ridden smartphones and pull out old Nokias instead. In this scene, the tech guy said: 'We're exploiting the only weakness of new technology: old technology.'
This was, of course, fiction, but it is also one of the most accurate unintentional summaries of the reality of modern cybersecurity.
Legacy infrastructure is the quiet backbone of our modern industry. While many companies proudly advertise AI-enhanced platforms, cloud-native solutions and containerised workloads, a significant proportion of critical operations still rely on systems that are older than the people securing them.
But legacy infrastructure is not only about outdated and insecure hardware; it can also refer to protocols, software, operating systems, or even contracts that lack important provisions that have been added over time. Think of Windows XP in production use or OT devices that cannot be patched without shutting down an entire plant.
In the IT world, legacy systems are seen as costly and inconvenient. In the OT world, however, legacy systems are often critical. Unplugging it is simply not an option when it is powering cities, heating homes or running factories where there is near-zero tolerance for downtime.
There are three main reasons, among many others, that legacy infrastructure is still in use. Industrial systems often adhere to the philosophy of not updating unless absolutely necessary. Many OT devices are designed to run for decades. Replacing OT parts can be risky and costly. Updating the systems can introduce failure or require new, expensive certifications for compliance. Sometimes the vendor no longer exists, meaning an update would require the system to be completely redesigned. Lastly, many components are deeply intertwined with other systems in terms of custom integrations, old protocols, or simply undocumented logic. Even a small change can cause the whole system to break, either immediately or after a period of time.
Unfortunately, this knowledge is not just in the hands of the defenders; the hackers are quite familiar with the situation, too. They can intentionally hunt for vulnerabilities in outdated, unpatchable, unmonitored, or internet-exposed components. And they not only know that these components exist, but also how to exploit them and where they are often found: Critical infrastructure.
Consider the impact on the UK's National Health Service during the WannaCry outbreak in 2017. The malware exploited a Windows vulnerability on an unprecedented scale, but it wasn't just the malware itself that forced hospitals to divert ambulances and cancel thousands of appointments. Rather, it was the prevalence of Windows XP and other unsupported versions still in use across clinical and administrative systems. Relying on end-of-life systems created an environment in which a known exploit could result in not only data loss, but also real-world harm. 19,000 appointments had to be cancelled and £92 million was lost due to business interruption and incident response costs.
This is just one famous example of hackers misusing legacy hardware. To be fair, OT is a whole other level. It's harder to understand and patch, and it's difficult to know who to blame when there's simply no money to replace outdated systems or test updates without rendering any important devices unusable.
Outdated IT components can also have disastrous consequences. Equifax is a prime example of this. They used the well-known web stack Apache Struts for their services and exposed it to the public. Apache Struts was slow to release updates because ownership was unclear at the time, but there was a vulnerability in their code that could be patched. However, Equifax was still relying on this open-source product, merely consuming what had been programmed without contributing anything back, such as code changes or actually fixing the flaw. In turn, hackers exploited the vulnerability, stealing the personal data of 147 million people, resulting in settlements and fines totalling almost $700 million. This is a perfect example of how a software component becomes legacy when an organisation stops maintaining it with the same priority as newer software. In other words, legacy is not just about age, but also about attention.
These incidents are not just about missed updates, they demonstrate the limitations that outdated technology places on what defenders can realistically prevent or respond to. It is impossible to detect what you don't know exists, and it is impossible to secure systems whose development lifecycles ended years before today's threat landscape emerged.
Attacks on legacy systems do require knowledge, but not necessarily highly intelligent malware. WannaCry did not specifically target hospitals, it targeted long-standing vulnerabilities in Windows systems, and many organisations still relied on these systems for various reasons. Equifax, too, was not compromised by an exotic zero-day, it fell to a well-documented flaw in ageing software.
So, how can those of us in cyber security deal with the past that keeps asserting itself in the present? Make everything visible. Make sure you know exactly what is running within your legacy infrastructure. Identify what's vulnerable, where the risks are high, what can be updated and what could fail. Anything that cannot be replaced must be secured using modern measures. This includes firewalls, network segmentation and strong authentication. The latter can be particularly important; there are many examples of successful or near-successful hacks, such as the attack on the Polish energy infrastructure in December 2025, where the attackers gained access using default credentials, without the need for malware or exploits. Finally, simulate. Simulate attacks, patches and failure to develop a clear strategy in case of unexpected events.
Legacy is technical debt with interest, compounding in attacker time. The only weakness of new technology is old technology, but only if we allow it to remain so. When we bring it to the surface, defend it and retire it deliberately, we transform systemic risk into manageable, known risk. When we don't, we leave opportunity on the table, just not for us.