TL;DR: Ransomware attacks on U.S. critical infrastructure rose 9% in 2024, while the average breach cost in critical infrastructure reached $4.88 million, according to the FBI and IBM. The operational problem is not just old equipment but legacy OT that is too mission-critical to replace and too fragile to patch.
NHIMG editorial — based on content published by Imprivata: Experts Discuss the Challenges of Protecting Legacy Infrastructure from Increasing Cyber Threats in Critical Industries
By the numbers:
- Ransomware attacks on U.S. critical infrastructure rose 9% in 2024.
Questions worth separating out
Q: How should organisations secure legacy OT that cannot be patched quickly?
A: Start by separating unpatchable systems from standard enterprise assets and treating them as a distinct risk class.
Q: Why does limited visibility make critical infrastructure harder to defend?
A: Because defenders cannot verify whether behavior is normal until after the damage is done.
Q: What breaks when privileged access is treated as a routine IT control in critical industries?
A: The control fails because critical systems do not tolerate broad, persistent, or loosely monitored administrative access.
Practitioner guidance
- Classify unpatchable OT as a long-lived risk tier Create an inventory segment for systems that cannot be patched safely and assign them explicit access restrictions, monitoring requirements, and ownership.
- Constrain vendor and administrator pathways Review every remote support path, maintenance account, and administrative exception that reaches critical systems.
- Close visibility gaps before they become incident gaps Prioritise telemetry for authentication events, remote access use, and privileged actions on critical assets.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- The article expands on how legacy OT constraints affect security design in healthcare, manufacturing, utilities, and energy.
- It includes the specific expert comments from Shaun Marion and Joel Burleson-Davis that frame the monitoring and resilience problem.
- It discusses how AI-driven modernization, zero trust network access, passwordless authentication, PAM, and VPAM are positioned for critical environments.
- It gives the source context for the ransomware and breach-cost figures that shape the risk discussion.
👉 Read Imprivata's analysis of legacy infrastructure security in critical industries →
Legacy OT and critical infrastructure risk: what IAM teams need to know?
Explore further
Legacy OT security is fundamentally a governance problem, not just a modernization problem. The article describes systems that cannot be patched, cannot be easily replaced, and often cannot be fully observed. That combination means conventional vulnerability management reaches its limit before risk is actually reduced. Practitioners need to treat the asset lifecycle, access lifecycle, and operational lifecycle as one control plane, because critical infrastructure fails when those three are managed separately.
A few things that frame the scale:
- Systems with least-privileged AI access had a 17% incident rate vs 76% for over-privileged systems, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Which frameworks best fit legacy infrastructure access governance?
A: NIST Cybersecurity Framework 2.0 and Zero Trust Architecture are the best starting points because they anchor access, monitoring, and recovery around resilience rather than perimeter trust. For identity-heavy controls, PAM governance and least privilege principles should be mapped to the systems that cannot be modernized quickly.
👉 Read our full editorial: Legacy infrastructure security gaps are widening in critical industries