Legacy operational technology is no longer a quiet liability tucked away on the factory floor; it has become one of manufacturing’s most persistent cybersecurity blind spots. As ESET frames it, the problem is not that old machines are inherently broken, but that decades-old OT increasingly sits inside modern, connected environments where remote access, IT/OT convergence, and always-on data flows expose systems that were never designed for this kind of scrutiny. NIST and ISA’s current guidance makes the same basic point from different angles: OT must be protected in ways that respect availability, safety, and long life cycles, not by treating it like ordinary office IT. www.nist.gov/publications/guide-operational-technology-ot-security))
Manufacturing has always prized stability, repeatability, and long asset lifetimes. That made perfect sense when programmable logic controllers, human-machine interfaces, and supervisory control systems were isolated from corporate networks and updated only during carefully scheduled outages. But the modern plant is very different: executives want remote monitoring, plant managers want richer analytics, and subcontractors want secure access from anywhere, which means OT now lives inside the same digital ecosystem that attackers already knist.gov](Guide to Operational Technology (OT) Security))
That convergence is where the risk compounds. ESET’s manufacturing guidance explicitly says legacy OT was not built for connectivity, even as Industry 4.0 demands it, and its white paper argues that traditional air gaps are no longer enough because attackers exploit legacy systems, USB media, and remote access pathways. NIST’s OT security guide similarly notes that OT includes PLCs, SCADA, and DCS environments with unique performance and safety constraints, while ISA’s 62443 family exists precisely because automation systems need a dilse software. (nist.gov)
The timing matters too. A lot of the installed base was born in an era when cyber threats were a nuisance at best and a national-security issue at worst. Today, the threat landscape includes ransomware crews, disruptive wipers, and state-linked operators who understand that a few compromised systems can halt production, trigger contractual penalties, and damage customer trust faster than any line stoppage ever could. NIST explicitly warns that a breach in OT can interrupt production and impact product quality, while ESET points to the financial and compliance pnufacturers highly sensitive to downtime. (nist.gov)
What makes this especially hard is that replacement is rarely practical. Many plants depend on long-lived equipment with certified configurations, vendor-specific firmware, and operational dependencies that cannot simply be swapped out like office laptops. That is why the real debate in 2026 is no longer whether legacy O keep it safe long enough to modernize on their own terms.
That hesitation is rational, but it also creates a security time bomb. Once an environment contains unsupported operating systems, obsolete controllers, or vendor-locked components, patching becomes less a routine task and more a negotiation with physics, certification rules, and production calendars. ISA’s 62443 series even includes a dedicated part on patch management in the IACS environment, which is a reminder that industrial patching is a discipl simple IT chore.
The paradox is that the systems least able to absorb change are also the systems most punished by compromise. A ransomware event on the OT side can stop shipping, stop billing, and stop quality control in one move. ESET’s manufacturing page highlights how industrial breaches can bring severe business disruption, while NIST stresses that OT security must be designed around reliability and safety as much asnist.gov](Guide to Operational Technology (OT) Security))
RDP is a good example because it solves a real operational problem and a real security problem at the same time. Administrators want to manage machines without traveling to the plant, but once remote administration becomes normal, attackers inherit the same path if credentials, segmentation, or MFA are weak. The lesson is not that remote access is bad; it is that remote access must be treated as a high-value control plane, not a convensame dynamic appears with SMB, shared file resources, and engineering workstations that bridge business and industrial networks. Attackers often do not need a direct exploit against the PLC itself; they just need a weak endpoint, a poorly protected jump box, or a careless user who opens a malicious document. CISA and FBI guidance in the uploaded material repeatedly emphasizes segmentation, MFA, application allowlisting, and offline backups because attackers will always look for the easier pivot.
That isrsation has shifted from isolation to segmentation. NIST and CISA-aligned guidance favors demilitarized zones, logical zoning, traffic filtering, and strict control of industrial protocols that cross trust boundaries. The point is not to pretend connectivity can be eliminated; it is to make movement expensive, observable, and limited. (nist.gov)
The broader lesson is that security assumptions age poorly. A plant built around obscurity in the 1990s may still run perfectly in 2026, but the surrounding ecosystem has changed: threat actors have better tooling, defenders have more telemetry, and the number of possible ingress paths has grown dramatically. That mismatch is why older OT frequently becomes the weak point in a modernized entost successful OT intrusions are not cinematic hacks. They are chains of ordinary weaknesses stitched together with patience. A phishing email leads to stolen credentials, which lead to a remote session, which leads to a jump host, which leads to an engineering workstation, which finally reaches the control network.
This is where long-term support becomes strategically important. ESET desution and Support for ordinary IT lifecycles, Long-Term Support for stable versions across 7 to 10 years, and Legacy Support** for devices and operating systems that cannot be upgraded due to technical, operational, or regulatory constraints. That model is designed to reduce exposure without forcing disruptive change at the worst possible time.
The economics are straightforward. Downtime, contract penalties, and reputation loss often cosoftware itself. ESET’s own manufacturing page notes the industrial sector’s high breach costs and the prevalence of extortion campaigns against manufacturers, while NIST’s guidance underscores that OT security must align with real-world operational constraints. (nist.gov)
The important detail is not just endpoint malware detection. ESET says the offering includes on-ts, and services that help organizations handle environments with special reliability requirements. In OT, that matters because cloud-first assumptions, frequent version changes, and brittle update paths can all create more disruption than they solve.
There is also a managed-service angle. ESET’s manufacturing page highlights MDR**, 24/7 human-led analysis, and AI-assisted monitoring. Ttractive in industrial settings where the internal security team may not have specialized OT staff on every shift, yet still must detect anomalies that could be the first sign of a breach.
That alignment is useful because many manufacturers already have to explain security choices to auditors, insurers, and custly that can map cleanly onto a standards-based lifecycle model has an advantage in procurement conversations, especially where compliance and operational continuity are both on the line. ESET’s manufacturing materials explicitly talk about audits, regulatory standards, and IT/OT convergence in the same breath.
At the same time, standards do not deploy themselves. The plant still needs asset inventory, segmentation, change control, logging, and tested recovery procedures. A security those goals, but it cannot replace the operational discipline that OT environments have always required.
That distinction matters because decision-making authority is split. Plant operations may want stability, IT wants standardization, and the board wants risk reduction without capital shock. The winnly the one that reduces exposure without creating a production crisis, which is why lifecycle-based security support resonates so strongly in manufacturing.
There is also a cultural difference. Consumer security tolerates faster patch cycles and occasional inconvenience. Industrial security often cannot. A reboot on a home PC is an annoyance; a reboot on a controller that ge can become a multimillion-dollar event.
It also benefits from strong conceptual alignment with recognized frameworks. NIST and ISA/IEC 62443 both support the idea that OT requires specialized controls, structured risk management, and lifecycle discipline, so a vendor built around those realities has a credible story to tell. That alignment can make procurement, auditing, and internal justification easier. (nist.gov)
There is also an operational concern around complexity. The more a manufacturer relies on specialized support models, the more disciplined it must be about version management, asset inventory, and change control. A long-lived environment can still become fragile if teams lose track of what is deployed, where it is ore actually in place.
Finally, not every legacy problem is solvable with endpoint or managed detection controls. Some environments will continue to depend on outdated protocols, obsolete drivers, or hard-to-certify devices for years. In those cases, security leaders must accept that mitigation may be risk reduction, not full remediation, and that honest limitation is better t-s not a substitute for segmentation.**
Manufacturing does not need a perfect, clean-slate future to become safer today. It needs security architectures that respect the age of its equipment, the fragility of its operations, and the reality that attackers only need one weak point to turn productivity into downtime. In that sense, the strongest OT strategy is not radical reinvention but disciplined continuity: secure what must keep running, modernize what can be changed, and make sure neither old systemathe threat landscape alone.
Source: ESET How to take legacy operational technology (OT) risks in manufacturing head-on
Background
Manufacturing has always prized stability, repeatability, and long asset lifetimes. That made perfect sense when programmable logic controllers, human-machine interfaces, and supervisory control systems were isolated from corporate networks and updated only during carefully scheduled outages. But the modern plant is very different: executives want remote monitoring, plant managers want richer analytics, and subcontractors want secure access from anywhere, which means OT now lives inside the same digital ecosystem that attackers already knist.gov](Guide to Operational Technology (OT) Security))That convergence is where the risk compounds. ESET’s manufacturing guidance explicitly says legacy OT was not built for connectivity, even as Industry 4.0 demands it, and its white paper argues that traditional air gaps are no longer enough because attackers exploit legacy systems, USB media, and remote access pathways. NIST’s OT security guide similarly notes that OT includes PLCs, SCADA, and DCS environments with unique performance and safety constraints, while ISA’s 62443 family exists precisely because automation systems need a dilse software. (nist.gov)
The timing matters too. A lot of the installed base was born in an era when cyber threats were a nuisance at best and a national-security issue at worst. Today, the threat landscape includes ransomware crews, disruptive wipers, and state-linked operators who understand that a few compromised systems can halt production, trigger contractual penalties, and damage customer trust faster than any line stoppage ever could. NIST explicitly warns that a breach in OT can interrupt production and impact product quality, while ESET points to the financial and compliance pnufacturers highly sensitive to downtime. (nist.gov)
What makes this especially hard is that replacement is rarely practical. Many plants depend on long-lived equipment with certified configurations, vendor-specific firmware, and operational dependencies that cannot simply be swapped out like office laptops. That is why the real debate in 2026 is no longer whether legacy O keep it safe long enough to modernize on their own terms.
Why Legacy OT Is So Hard to Replace
Manufacturing systems are built around continuity. A production line that has run for 20 years represents not just hardware investment, but process knowledge, compliance validation, and supply-chain predictability. Replacing that stack can mean months of engineering work, requalification, and downtime risk, which is why many companies choose il a major modernization window opens.That hesitation is rational, but it also creates a security time bomb. Once an environment contains unsupported operating systems, obsolete controllers, or vendor-locked components, patching becomes less a routine task and more a negotiation with physics, certification rules, and production calendars. ISA’s 62443 series even includes a dedicated part on patch management in the IACS environment, which is a reminder that industrial patching is a discipl simple IT chore.
The paradox is that the systems least able to absorb change are also the systems most punished by compromise. A ransomware event on the OT side can stop shipping, stop billing, and stop quality control in one move. ESET’s manufacturing page highlights how industrial breaches can bring severe business disruption, while NIST stresses that OT security must be designed around reliability and safety as much asnist.gov](Guide to Operational Technology (OT) Security))
The lifecycle trap
The most dangerous words in industrial cybersecurity may still be “we’ll patch it next shutdown.” That phrase can stretch from a few weeks to a few quarters, and in legacy environments it may mean never. When the update path depends on a discontinued vendor, a certified image, or a brittle operating system, deferred remediation becomes accepted exposure.- Unsupported OS versions create long-tail risk.
- Firmware updates may be rare or impossible.
- Certification cycles can block rapid changes.
- Production windows may be too short for testing.
- Legacy vendors may no longer exist to support fixes.
How IT Convenience Becomes OT Exposure
One of the biggest mistakes in manufacturing security is assuming that a connectivity upgrade is just a productivity improvement. In reality, every new remote-access tool, RDP deployment, VPN tunnel, or shared identity bridge introduces an additional attack path. ESET explicitly calls out the role of remote access pathways in modern OT compromise, and its article notes that air-gapped assurantee safety.RDP is a good example because it solves a real operational problem and a real security problem at the same time. Administrators want to manage machines without traveling to the plant, but once remote administration becomes normal, attackers inherit the same path if credentials, segmentation, or MFA are weak. The lesson is not that remote access is bad; it is that remote access must be treated as a high-value control plane, not a convensame dynamic appears with SMB, shared file resources, and engineering workstations that bridge business and industrial networks. Attackers often do not need a direct exploit against the PLC itself; they just need a weak endpoint, a poorly protected jump box, or a careless user who opens a malicious document. CISA and FBI guidance in the uploaded material repeatedly emphasizes segmentation, MFA, application allowlisting, and offline backups because attackers will always look for the easier pivot.
s case for remote visibility is strong, but it comes with hidden costs. Once a factory depends on digital access for normal operations, the plant becomes vulnerable to identity theft, session hijacking, and lateral movement from the IT environment. That is why modern OT security must assume that the office network and the plant network are intertwined even when architecture diagrams pretend otherwise.
- Remote access expands the blast radius of a compromise.
- Shared credentials make lateral movement easier.
- RDP and similar tools often become high-value targets.
- Third-party maintenance access is especially risky.
- Visibility tools can become control-plane dependencies.
Why Air Gaps Fail in the Real World
Air gaps were once a comforting story: if the network is physically isolated, attackers cannot reach it. But as ESET’s white paper notes, those barriers are increasingly undermined by USB devices, hybrid workflows, and the operational need for remote support. In practice, many “isolated” plants are only one maintenance laptop, one media transfer, or one contractor connection away from exposure.That isrsation has shifted from isolation to segmentation. NIST and CISA-aligned guidance favors demilitarized zones, logical zoning, traffic filtering, and strict control of industrial protocols that cross trust boundaries. The point is not to pretend connectivity can be eliminated; it is to make movement expensive, observable, and limited. (nist.gov)
The broader lesson is that security assumptions age poorly. A plant built around obscurity in the 1990s may still run perfectly in 2026, but the surrounding ecosystem has changed: threat actors have better tooling, defenders have more telemetry, and the number of possible ingress paths has grown dramatically. That mismatch is why older OT frequently becomes the weak point in a modernized entost successful OT intrusions are not cinematic hacks. They are chains of ordinary weaknesses stitched together with patience. A phishing email leads to stolen credentials, which lead to a remote session, which leads to a jump host, which leads to an engineering workstation, which finally reaches the control network.
- Initial access often starts in IT.
- Identity and remote access are common choke points.
- Engineering workstations can bridge otherwise separate zones.
- Legacy protocols often lack modern authentication.
- Detection improves when each stage is independently logged.
The Business Case for
is that legacy systems are not the problem; unmanaged risk is. That framing matters because it shifts the discussion from blame to governance. Manufacturers do not need a perfect future-state architecture before they can reduce exposure today, but they do need a support model that recognizes long-lived assets and limited patchability.This is where long-term support becomes strategically important. ESET desution and Support for ordinary IT lifecycles, Long-Term Support for stable versions across 7 to 10 years, and Legacy Support** for devices and operating systems that cannot be upgraded due to technical, operational, or regulatory constraints. That model is designed to reduce exposure without forcing disruptive change at the worst possible time.
The economics are straightforward. Downtime, contract penalties, and reputation loss often cosoftware itself. ESET’s own manufacturing page notes the industrial sector’s high breach costs and the prevalence of extortion campaigns against manufacturers, while NIST’s guidance underscores that OT security must align with real-world operational constraints. (nist.gov)
Why support lifecyclesuyers are not just purchasing detection software; they are purchasing continuity. If a protection stack requires frequent platform churn, a plant may avoid it or disable it. A longer support horizon reduces that friction and makes security easier to standardize across years rather than months.
- Stable versions reduce validation burden.
- Predictable support simplifies budgeting.
- Longer lifecycles fit certified environments.
- Legacy support can preserve uptime while modernization proceeds.
- Lifecycle planning reduces emergency response pressure.
What ESET PRIVATE Is Trying to Solve
ESET positions ESET PRIVATE as a lifecycle-driven security approach for OT environments that need both protection and predictability. In its own materials, ESET says the platform supports hybrid and air-gapped environments, protects sensitive manufacturing data, and enables safer IT/OT convergence. That is a direct answer to the reality that many factories cannot move to modern infrastructure all at once.The important detail is not just endpoint malware detection. ESET says the offering includes on-ts, and services that help organizations handle environments with special reliability requirements. In OT, that matters because cloud-first assumptions, frequent version changes, and brittle update paths can all create more disruption than they solve.
There is also a managed-service angle. ESET’s manufacturing page highlights MDR**, 24/7 human-led analysis, and AI-assisted monitoring. Ttractive in industrial settings where the internal security team may not have specialized OT staff on every shift, yet still must detect anomalies that could be the first sign of a breach.
Where private OT security differs
Private, on-premises OT security is not simply “enterprise security in a plant.” It needs to understand downtime windows, certification rules, and the fact that some assets cannot be patched the way office laptops can. It also has to coexist with safety engineering, maintenance teams, and process owners who care more about uptime than dashboard elegance.- On-prem deployment avoids unnecessary cloud dependency.
- Stable support reduces change fatigue.
- Tailored policies can preserve compatibility.
- Human-led monitoring helps in low-automation environments.
- Long-cycle products fit regulated industrial operations.
Comparing ESET’s Approach With Broader OT Best Practices
On the surface, ESET’s message aligns closely with the industry’s current best practices. NIST says OT security must address snd unique system topologies, while ISA/IEC 62443 formalizes security program requirements, risk assessment, system requirements, and secure product development lifecycles. In other words, the standards world and the vendor story are pointing in the same direction. (nist.gov)That alignment is useful because many manufacturers already have to explain security choices to auditors, insurers, and custly that can map cleanly onto a standards-based lifecycle model has an advantage in procurement conversations, especially where compliance and operational continuity are both on the line. ESET’s manufacturing materials explicitly talk about audits, regulatory standards, and IT/OT convergence in the same breath.
At the same time, standards do not deploy themselves. The plant still needs asset inventory, segmentation, change control, logging, and tested recovery procedures. A security those goals, but it cannot replace the operational discipline that OT environments have always required.
Standards, strategy, and execution
This is where many industrial programs stumble. They buy tooling before defining zones, access patterns, or recovery objectives, then discover that the tennce. The most mature programs treat security as a process that spans design, operations, and recovery.- NIST provides the OT security framework.
- ISA/IEC 62443 gives industrial lifecycle structure.
- Vendors provide controls and services.
- Operators provide process context.
- Auditors and regulators force accountability.
Enterprise vs Consumer Thinking in Industrial Security
OT security is often discussed like a purely technical issue, but it is really a busperational consequences. For enterprises, especially manufacturers, the question is whether a plant can remain compliant, profitable, and reliable while modernizing. For consumers, by contrast, the issue is usually personal device hygiene and data privacy; in OT, the stakes are physical process continuity and contractual delivery.That distinction matters because decision-making authority is split. Plant operations may want stability, IT wants standardization, and the board wants risk reduction without capital shock. The winnly the one that reduces exposure without creating a production crisis, which is why lifecycle-based security support resonates so strongly in manufacturing.
There is also a cultural difference. Consumer security tolerates faster patch cycles and occasional inconvenience. Industrial security often cannot. A reboot on a home PC is an annoyance; a reboot on a controller that ge can become a multimillion-dollar event.
Different buyers, different priorities
The same product message lands differently depending on who is listening. Procurement teams hear support length and deployment model. Engineers hear compatibility and uptime. Security leaders heaoterprises care about lifecycle predictability.- Operators care about uptime and safety.
- CISOs care about loss containment.
- Regulators care about resilience and due care.
- Boards care about business continuity and brand damage.
Strengths and Opportunities
The most compelling strength in this model is that it does not ask manufacturers to choose between security and uptime. Instead, it tries to fit security into the lifecycle reality of industrial environments, which is exactly where many IT-firstes the approach practical, especially for plants that are still carrying older Windows-based systems, legacy engineering stations, and hard-to-replace control assets.It also benefits from strong conceptual alignment with recognized frameworks. NIST and ISA/IEC 62443 both support the idea that OT requires specialized controls, structured risk management, and lifecycle discipline, so a vendor built around those realities has a credible story to tell. That alignment can make procurement, auditing, and internal justification easier. (nist.gov)
- Long-term support fits the realities of industrial lifecycles.
- On-premises deployment matches sensitive and regulated environments.
- Hybrid and air-gapped coverage helps bridge old and new architectures.
- **MDR and human-led monate for staff shortages.
- Standards alignment supports audit and compliance conversations.
- Legacy support reduces pressure to rip and replace too quickly.
- Predictable support windows help budgeting and planning.
Risks and Concerns
The biggest risk is that long-term support can become a comfort blanket if organizations mistake it for a complete security strategy. Legacy protection reduces exposure, but it does not eliminate architectural weaknesses, weak identity controls, poor segmentation, or Without governance, compensating controls, and testing, even good security software can become part of a false sense of safety.There is also an operational concern around complexity. The more a manufacturer relies on specialized support models, the more disciplined it must be about version management, asset inventory, and change control. A long-lived environment can still become fragile if teams lose track of what is deployed, where it is ore actually in place.
Finally, not every legacy problem is solvable with endpoint or managed detection controls. Some environments will continue to depend on outdated protocols, obsolete drivers, or hard-to-certify devices for years. In those cases, security leaders must accept that mitigation may be risk reduction, not full remediation, and that honest limitation is better t-s not a substitute for segmentation.**
- Legacy support can mask the need for modernization.
- Version sprawl can create operational confusion.
- Poor asset visibility weakens every control downstream.
- Remote access remains a major attack path.
- Unsupported protocols still carry inherent risk.
- Compensating controls must be tested, not assumed.
Looking Ahead
The next phase of OT security will likely be defined by coexistence rather than replacement. Factories will keep running old and new systems side by side, and vendors will increasingly compete on their ability to secure mixed environments without disrupting production. That means lifecycle support, managed visibility, and on-premises resilience will remain commercially important even as OT becomes more conlre from standards and regulators. ISA/IEC 62443 continues to anchor industrial security expectations, while NIST’s OT guidance gives operators a stable reference model for safe convergence. As the threat landscape keeps intensifying, manufacturers will likely be judged less on whether they have modernized everything and more on whether they can prove they have reduced exposure responsibly. (nist.gov)What to watch next
- More manufacturers adopting lifecycle-based OT security instead of one-size-fits-all endpoint programs.
- Greater emphasis on segmentation and zoning as air gaps prove unreliable.
- Increased demand for legacy support on unsupported Windows and industrial platforms.
- More use of MDR and human-led monitoring for plants with lean security teams.
- Tighter integration betweenence, and procurement** decisions.
Manufacturing does not need a perfect, clean-slate future to become safer today. It needs security architectures that respect the age of its equipment, the fragility of its operations, and the reality that attackers only need one weak point to turn productivity into downtime. In that sense, the strongest OT strategy is not radical reinvention but disciplined continuity: secure what must keep running, modernize what can be changed, and make sure neither old systemathe threat landscape alone.
Source: ESET How to take legacy operational technology (OT) risks in manufacturing head-on
