COMMENTARY: The term "legacy IT" might evoke an image of dusty servers and obsolete software quietly churning away in the corner of a data center. But in reality, these systems often sit at the heart of critical operations for hospitals, banks, manufacturing plants, and many government agencies.
The problem? They’ve become a hacker’s dream.
Legacy systems are the Achilles’ heel of modern cybersecurity strategies. They operate on borrowed time, often running outdated software and hardware long past their intended life span. Despite this, businesses across sectors continue to rely on them, sometimes by necessity, but often out of reluctance to invest in replacements. Unfortunately, this approach proves costly as attackers increasingly exploit the known vulnerabilities inherent in these outdated systems.
The wake-up calls we can’t ignore
In the last year alone, there have been stark reminders of the risks unpatched legacy systems pose. Consider the case of Royal Mail, the UK’s postal service, which suffered a major ransomware attack in early 2023. The attackers exploited an unpatched vulnerability in legacy IT systems, halting international deliveries for weeks. The financial and reputational impact of the breach was significant, but it wasn’t a standalone incident.
The healthcare sector has been particularly hard-hit. A breach in 2023 involving a major U.S. hospital chain exposed how outdated medical devices, running on unsupported operating systems, were exploited to gain access to sensitive patient data. These medical devices, such as imaging and diagnostic systems, often cannot be patched because of regulatory restrictions or compatibility concerns. The result? A treasure trove of vulnerabilities ripe for exploitation.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Meanwhile, the critical infrastructure sector has seen its share of alarm bells. In mid-2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory warning operators of industrial control systems (ICS) about vulnerabilities in legacy equipment used in energy and water utilities. The potential for cascading disruptions to essential services underscored how outdated systems remain central to many operations – and their risks.
Why we keep kicking the can down the road
Why do so many organizations let these vulnerabilities persist? The answers aren’t always about negligence or complacency. There are genuine challenges to addressing the problem. They include the following:
- Financial constraints: Upgrading or replacing legacy systems costs money, especially for organizations in sectors with tight budgets, like healthcare or small manufacturing firms. For many, the immediate cost of replacing systems outweighs the perceived risk of keeping them online.
- Downtime fears: Taking critical systems offline for upgrades or patching can disrupt operations. It’s especially true for sectors such as manufacturing or logistics, where even minor downtime can lead to massive losses.
- Dependency and complexity: Legacy systems are often tied to critical business applications that were custom-built years ago and may no longer be compatible with modern systems. In many cases, the expertise needed to migrate or replace these applications no longer exists within the organization.
- False sense of security: Organizations often believe that perimeter defenses, like firewalls and intrusion detection systems, are sufficient to protect legacy systems. This misplaced confidence often leads to a lack of urgency in addressing vulnerabilities.
The stakes get higher
This isn’t just a theoretical discussion. The threats to legacy systems are real, growing, and increasingly costly.
The ransomware group LockBit has made waves in the past year by targeting organizations running outdated software, knowing that these entities are less likely to have robust defenses or quick recovery mechanisms. Their strategy is simple: exploit known vulnerabilities in legacy systems, encrypt critical data, and demand exorbitant ransoms. For businesses caught off-guard, the choice often boils down to paying up or losing everything.
It’s not just ransomware. State-sponsored actors are also in the mix. A recent report from Microsoft’s Threat Intelligence Center highlighted how a Chinese APT group leveraged vulnerabilities in outdated servers to conduct espionage campaigns targeting Western defense contractors. The reliance on legacy systems by some of these contractors left gaping holes in their networks, allowing attackers to siphon sensitive data undetected for months.
The hard truth: legacy systems aren’t going anywhere overnight. But that doesn’t mean organizations can afford to stay passive. There are actionable steps that, while not perfect, can significantly reduce the risks:
- Understand the attack surface: Start by acknowledging the problem. Organizations must conduct thorough audits to identify every piece of legacy IT equipment in their environment. This isn’t just about ticking boxes on an inventory list—it’s about understanding the role each system plays and the risks it introduces.
- Patch, where possible: It’s often easier said than done to patch legacy systems. But where patches are available, organizations need to prioritize their application, even if it means scheduling downtime. The cost of an attack will almost always outweigh the cost of temporary disruptions.
- Segment and isolate: Companies can limit the damage of an attack via network segmentation. Never let users access legacy systems from the internet, and strictly control any access within the network. Isolation can mean the difference between a contained breach and a catastrophic one.
- Virtual patching and compensating controls: When patching isn’t feasible, virtual patching can serve as a stopgap. This involves using intrusion prevention systems (IPS) or web application firewalls (WAF) to block exploit attempts targeting known vulnerabilities. While not a permanent fix, these measures can buy organizations time to develop longer-term solutions.
- Plan for the future: Ultimately, patching and band-aid solutions are only delaying the inevitable. Organizations need a roadmap for upgrading or replacing legacy systems. This requires buy-in from leadership, budget allocation, and a clear timeline. The longer organizations wait, the higher the costs – both financial and operational.
Organizations aren’t the only ones at fault here. Vendors that design critical systems without long-term security considerations bear some responsibility. The medical devices compromised in recent attacks often cannot get patched because the vendors designed them to rely on fixed configurations. Regulators and industry groups need to push vendors to adopt better practices, including built-in update mechanisms and longer-term support commitments.
Governments can also play a role. Incentives, whether in the form of grants, tax breaks, or subsidies, could help organizations in resource-constrained sectors afford the costs of upgrading legacy systems. Public-private partnerships, such as those championed by CISA in the U.S., can also drive awareness and collaboration to address systemic vulnerabilities.
We live in an era where cybersecurity threats are relentless, sophisticated, and often devastating. The persistence of legacy IT systems in critical operations has become more than just a technical debt issue: it’s a strategic vulnerability. For organizations, it’s a clear message: the cost of maintaining outdated systems far exceeds the investment needed to secure or replace them.
Recent incidents underscore the urgency of addressing the vulnerabilities in legacy IT systems. Attackers have demonstrated their ability to exploit these weaknesses effectively, causing significant operational, financial, and reputational harm. Businesses, vendors, and governments must move beyond incremental fixes and prioritize comprehensive strategies to mitigate these risks. Delaying action only increases the eventual cost, measured in monetary terms and also in the resilience and security of critical infrastructure and operations.
Callie Guenther, senior manager, cyber threat research, Critical Start
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.