Much of the day-to-day cybersecurity work protecting U.S. critical infrastructure still centers on aging industrial controllers, not just cloud apps and corporate endpoints. Dark Reading reports that operators are scrambling to secure 20- to 30-year-old programmable logic controllers and other OT hardware, with some replacement parts now sourced through eBay and surplus channels because vendors no longer make them and original developers are long gone.
The problem is widespread across water, energy, manufacturing, transportation, and municipal systems. These devices were built for reliability and uptime, not modern authentication, encryption, or routine patching. Many remain tied to proprietary software, undocumented logic, and unsupported firmware. In practice, that leaves defenders trying to wrap security controls around equipment that cannot be easily upgraded or replaced without risking downtime or safety issues.
CISA and NIST have warned for years that legacy industrial control systems need compensating controls rather than IT-style patch cycles. Their guidance stresses asset inventory, network segmentation, least-privilege access, and tighter monitoring of engineering workstations and remote connections. Those basics matter because many OT incidents do not require a novel exploit; attackers often get in through exposed remote services, stolen credentials, misconfigured VPN access, or poorly separated IT and OT networks.
The use of secondhand hardware adds another layer of risk. Buying obsolete controllers from online marketplaces may keep a plant running, but it can also introduce counterfeit parts, tampered firmware, or devices with no trustworthy chain of custody. Even when the hardware is legitimate, one unsupported controller can hold back the security posture of an entire facility.
The larger issue is economic as much as technical. Replacing old OT gear can take years, require recertification, and demand shutdown windows many operators cannot afford. That means the cybersecurity front line for many essential services is still a maintenance struggle: preserving brittle systems, documenting code no one fully understands, and trying to prevent a modern intrusion from reaching equipment built in another era.
For defenders, the takeaway is blunt: legacy OT is not a niche problem. It is a persistent exposure embedded in the systems that keep water flowing, power moving, and factories running.
