Legacy infrastructure security gaps are widening in critical industries

At a glance

What this is: This is an independent analysis of how legacy operational technology, limited visibility, and constrained patching make critical infrastructure harder to defend.

Why it matters: It matters because IAM, PAM, and lifecycle controls increasingly have to protect systems that cannot be refreshed on normal enterprise timelines, while still limiting blast radius across human and machine access.

By the numbers:

• Ransomware attacks on U.S. critical infrastructure rose 9% in 2024.
• Critical infrastructure organizations see the highest breach costs, with the average breach costing $4.88 million.

👉 Read Imprivata's analysis of legacy infrastructure security in critical industries

Context

Critical infrastructure security is increasingly an identity and access problem as much as a resilience problem. Legacy operational technology often cannot be patched quickly, cannot be replaced easily, and is frequently managed with access models that were never designed for modern threat pressure.

The result is a control gap rather than a technology gap. When defenders cannot see what is happening inside critical systems, they lose the ability to prove whether access is appropriate, whether privileged activity is expected, or whether a failure is the result of normal variance or active compromise.

Key questions

Q: How should organisations secure legacy OT that cannot be patched quickly?

A: Start by separating unpatchable systems from standard enterprise assets and treating them as a distinct risk class. Then restrict who can reach them, record privileged activity, and add compensating controls where patching is not possible. The goal is not perfect hardening. It is reducing the number of identities and sessions that can create operational impact.

Q: Why does limited visibility make critical infrastructure harder to defend?

A: Because defenders cannot verify whether behavior is normal until after the damage is done. In OT, missing telemetry prevents early detection, obscures accountability, and makes it hard to distinguish failure from compromise. That is why visibility is not just a monitoring issue. It is a governance issue for privileged access and operational trust.

Q: What breaks when privileged access is treated as a routine IT control in critical industries?

A: The control fails because critical systems do not tolerate broad, persistent, or loosely monitored administrative access. Routine IT assumptions, such as easy patching, frequent reconfiguration, and rapid rebuilds, do not apply. In these environments, privileged access has to be narrower, more observable, and tied to operational necessity rather than convenience.

Q: Which frameworks best fit legacy infrastructure access governance?

A: NIST Cybersecurity Framework 2.0 and Zero Trust Architecture are the best starting points because they anchor access, monitoring, and recovery around resilience rather than perimeter trust. For identity-heavy controls, PAM governance and least privilege principles should be mapped to the systems that cannot be modernized quickly.

Technical breakdown

Why legacy OT resists normal patch-and-replace security models

Legacy OT is different from standard IT infrastructure because availability is part of the security requirement. Many systems run for years without a practical patch path, and some have no safe mechanism for remediation once deployed. That means the usual enterprise model of patch, validate, and move on does not hold. In critical environments, the real constraint is operational continuity, not policy intent. Security controls therefore have to work around immovable assets, limited maintenance windows, and vendor dependencies that extend the exposure period far longer than traditional vulnerability management assumes.

Practical implication: Treat unsupported or unpatchable OT as a permanently exposed asset class and govern access accordingly.

How limited telemetry turns small OT issues into major incidents

Telemetry is the difference between a manageable anomaly and a silent failure. In legacy environments, defenders may not have full monitoring, event logging, or real-time state visibility across the systems that matter most. That leaves teams unable to separate normal process variation from malicious activity or equipment degradation. Without adequate signal, operators also struggle to establish accountability for privileged actions, especially when remote access, vendor support, and operational exceptions all overlap. In practice, missing telemetry creates both detection failure and governance failure at the same time.

Practical implication: Prioritise monitoring paths that give security and operations teams evidence before a fault becomes an outage or intrusion.

Why least privilege and privileged access management matter more in critical industries

Where OT is fragile, access becomes the main control surface. Least privilege reduces the number of identities that can touch sensitive systems, while PAM and vendor privileged access management help constrain elevated sessions, administrative exceptions, and third-party support pathways. These controls do not solve every legacy constraint, but they narrow the blast radius when segmentation, patching, or hardening cannot be completed quickly. The important point is that critical infrastructure security must assume long-lived assets will remain in service, so access design has to absorb risk that the platform itself cannot easily eliminate.

Practical implication: Build PAM and VPAM around the systems that cannot be modernised first, not last.

NHI Mgmt Group analysis

Legacy OT security is fundamentally a governance problem, not just a modernization problem. The article describes systems that cannot be patched, cannot be easily replaced, and often cannot be fully observed. That combination means conventional vulnerability management reaches its limit before risk is actually reduced. Practitioners need to treat the asset lifecycle, access lifecycle, and operational lifecycle as one control plane, because critical infrastructure fails when those three are managed separately.

Identity is the practical control surface when infrastructure cannot be rebuilt. If a facility cannot rapidly modernize the platform, then the most decisive security question becomes who can reach it, under what conditions, and with what level of privilege. PAM, vendor privileged access management, and tightly governed remote access matter because they reduce the impact of systems that will remain technically exposed for years. The implication is that resilience depends less on perfect hardening and more on disciplined access containment.

Visibility debt creates resilience debt, and critical sectors pay for both at once. A system that cannot be monitored well cannot be defended well, and a system that cannot be patched well cannot absorb mistakes well. That is why the post should be read as a warning about control layering, not a call for one more tool. Critical infrastructure teams must make security decisions based on what the platform can actually sustain, not what policy assumes it should be able to sustain.

Human-centered security still matters in OT, but only when paired with access discipline. The article’s emphasis on usability is correct, because operators will bypass controls that slow essential work. But usability without least privilege simply preserves weak access paths. The field lesson is that critical infrastructure programmes need controls that operators can live with and attackers cannot easily exploit, otherwise resilience claims remain theoretical.

Operational resilience in critical industries depends on assuming legacy exposure will persist. That assumption should change how boards, CISOs, and IAM leads frame investment. The question is not whether every old system can be fixed. The question is whether the organisation has built enough access containment, monitoring, and accountability around the systems that cannot be retired on demand.

From our research:

• Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
• From our research: 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
• Critical infrastructure teams should also follow the control logic in Ultimate Guide to NHIs , Key Challenges and Risks when legacy systems force long-lived access decisions.

What this signals

Identity discipline will increasingly determine resilience outcomes in critical infrastructure. As more environments combine brittle OT, remote support, and privileged exceptions, the control question shifts from network trust to who can act, when, and under what supervision. Teams that cannot prove those boundaries will struggle to demonstrate operational confidence to boards, insurers, and regulators.

Access containment is becoming the practical substitute for perfect modernization. The infrastructure cannot always be rebuilt, but identities, sessions, and privileged pathways can still be narrowed. That makes PAM, vendor access governance, and session accountability the main levers for reducing risk in systems that will remain in service for years.

Least privilege is no longer a policy aspiration in these environments, it is a measurable resilience control. Our research shows that systems with least-privileged AI access had a 17% incident rate compared with 76% for over-privileged systems, a reminder that excessive access has direct operational consequences. Critical industries should read that as a warning that access design is now part of uptime strategy.

For practitioners

• Classify unpatchable OT as a long-lived risk tier Create an inventory segment for systems that cannot be patched safely and assign them explicit access restrictions, monitoring requirements, and ownership. Use that tier to drive funding and exception handling instead of treating the assets as ordinary infrastructure.
• Constrain vendor and administrator pathways Review every remote support path, maintenance account, and administrative exception that reaches critical systems. Put privileged sessions behind approvals, recording, and time-bound access so third-party and internal support cannot become standing exposure.
• Close visibility gaps before they become incident gaps Prioritise telemetry for authentication events, remote access use, and privileged actions on critical assets. Where full monitoring is impossible, define compensating controls and escalation thresholds so operators know when to intervene.
• Map least privilege to operational tolerance Redesign access so operators have only the rights needed for the exact maintenance task, and no broader. In fragile environments, even small reductions in entitlement reduce the blast radius of a misstep or compromise.

Key takeaways

• Legacy OT creates a security problem that cannot be solved by patching alone because many critical systems are too fragile or too essential to replace.
• Limited telemetry turns small faults into large incidents by obscuring privileged actions, operational anomalies, and early compromise signals.
• Critical infrastructure teams should focus on least privilege, PAM, and visibility first when they cannot modernize the platform itself.

Key terms

• Legacy Operational Technology: Legacy operational technology is industrial or infrastructure control equipment that was designed before modern cyber threats became routine. It is often difficult to patch, replace, or monitor, which makes identity and access controls more important than platform remediation alone.
• Vendor Privileged Access Management: Vendor privileged access management governs third-party support sessions that can reach sensitive systems. It limits what vendors can do, when they can do it, and how the activity is recorded, which is essential when critical infrastructure cannot tolerate broad remote access.
• Visibility Debt: Visibility debt is the accumulated risk created when an organisation cannot see enough of its critical systems to detect abnormal behavior quickly. In operational environments, that debt shows up as delayed detection, weak accountability, and poor confidence in whether access is safe.
• Compensating Controls: Compensating controls are alternative safeguards used when a preferred security control, such as patching, cannot be applied safely. They may include tighter access restrictions, session recording, segmentation, or enhanced monitoring, but they only work if they are specific enough to reduce the actual exposure.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity governance in your organisation, it is worth exploring.

This post draws on content published by Imprivata: Experts Discuss the Challenges of Protecting Legacy Infrastructure from Increasing Cyber Threats in Critical Industries. Read the original.