Legacy OT and critical infrastructure risk: what IAM teams need to know

TL;DR: Ransomware attacks on U.S. critical infrastructure rose 9% in 2024, while the average breach cost in critical infrastructure reached $4.88 million, according to the FBI and IBM. The operational problem is not just old equipment but legacy OT that is too mission-critical to replace and too fragile to patch.

NHIMG editorial — based on content published by Imprivata: Experts Discuss the Challenges of Protecting Legacy Infrastructure from Increasing Cyber Threats in Critical Industries

By the numbers:

• Ransomware attacks on U.S. critical infrastructure rose 9% in 2024.

Questions worth separating out

Q: How should organisations secure legacy OT that cannot be patched quickly?

A: Start by separating unpatchable systems from standard enterprise assets and treating them as a distinct risk class.

Q: Why does limited visibility make critical infrastructure harder to defend?

A: Because defenders cannot verify whether behavior is normal until after the damage is done.

Q: What breaks when privileged access is treated as a routine IT control in critical industries?

A: The control fails because critical systems do not tolerate broad, persistent, or loosely monitored administrative access.

Practitioner guidance

• Classify unpatchable OT as a long-lived risk tier Create an inventory segment for systems that cannot be patched safely and assign them explicit access restrictions, monitoring requirements, and ownership.
• Constrain vendor and administrator pathways Review every remote support path, maintenance account, and administrative exception that reaches critical systems.
• Close visibility gaps before they become incident gaps Prioritise telemetry for authentication events, remote access use, and privileged actions on critical assets.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• The article expands on how legacy OT constraints affect security design in healthcare, manufacturing, utilities, and energy.
• It includes the specific expert comments from Shaun Marion and Joel Burleson-Davis that frame the monitoring and resilience problem.
• It discusses how AI-driven modernization, zero trust network access, passwordless authentication, PAM, and VPAM are positioned for critical environments.
• It gives the source context for the ransomware and breach-cost figures that shape the risk discussion.

👉 Read Imprivata's analysis of legacy infrastructure security in critical industries →

Legacy OT and critical infrastructure risk: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →