Your Critical Infrastructure Is at Risk – Act Now

The security of our most vital national infrastructure faces a constant and escalating threat, not from sophisticated new hacking techniques, but from a far more mundane source: outdated and unsupported technology. A recent analysis from Cisco reveals that aging systems within critical sectors create predictable vulnerabilities that malicious actors can and do exploit with alarming regularity. This widespread reliance on obsolete hardware and software directly undermines national resilience and public safety.

The scope of this issue is vast and difficult to overstate. As far back as 2020, nearly half of all corporate network assets globally were already considered aging or obsolete, a situation that has only deteriorated. In the United Kingdom, a 2024 review identified 228 legacy systems still in operation across government departments, with over a quarter of these carrying a high probability of either operational or security failure. When software and hardware reach their end-of-life, manufacturers cease providing essential security patches, transforming these systems into permanent weak points in an organization’s defenses.

This vulnerability is not confined to forgotten equipment running in a back room. Unsupported systems are frequently deployed at network perimeters where they are most exposed to the outside world. Cybercriminals actively seek out these unpatched entry points. Data from the European Union indicates that a staggering 60% of all breaches in 2022 and 2023 exploited vulnerabilities for which a security patch was already available but had not been applied.

To quantify the risk, the report assessed the prevalence of End-of-Life technology across five major economies. The United Kingdom emerged with the highest exposure score at 92, followed by the United States at 88, Germany at 87.8, and France at 83. Japan’s notably lower score of 65 reflects its more diverse infrastructure foundation, robust national standards, and a concerted focus on digital resilience. Conversely, the UK’s high score points to a greater concentration of unsupported systems within highly centralized critical sectors, magnifying the potential fallout from any single failure.

While frequent cyberattacks are a clear indicator of risk, structural factors are equally telling. The sheer volume of unsupported technology in use, the number of operators in essential services, and the projected impact of service outages all contribute to a nation’s vulnerability. The healthcare sector is a prime example, consistently showing the highest relative risk across all five countries studied. One finding highlighted that 60% of French hospitals were still running Windows 7 in 2022, a full two years after Microsoft ended support and security updates for that operating system.

Healthcare remains the most exposed sector in nearly every nation evaluated, a status driven by its life-or-death services, deeply interconnected systems, lengthy equipment refresh cycles, and the highly sensitive data it handles. In both the US and the UK, healthcare received the highest possible risk score.

Water and energy utilities also confront persistent threats. Multiple governments have issued warnings about state-sponsored groups probing these networks to establish long-term access. The report references a February 2024 advisory that detailed widespread infiltration attempts by the group known as Volt Typhoon, which targeted American water, energy, transportation, and communications infrastructure.

While the manufacturing and finance sectors appear somewhat more stable, they are by no means immune to significant risk. Many operators depend on similar technology stacks, and shared components can allow a single unpatched vulnerability to cascade into a sector-wide incident, especially when updates are delayed or unsupported systems remain active.

The financial burden of this “technical debt” has become a national concern. The US federal government allocated $100 billion to IT and cybersecurity in 2023, with estimates suggesting a staggering $80 billion of that was consumed by the operation and maintenance of existing systems, including legacy environments. In the UK, nearly half of the government’s planned 2019 IT budget was earmarked for the same purpose, leaving scant resources for meaningful modernization efforts.

Jeff Campbell, SVP and Chief Government Strategy Officer at Cisco, explained, “The initial point of entry for attackers launching debilitating cyberattacks often involves IT that is unpatched or too old to patch. This is known as ‘technical debt’, the shadow liability from outdated technology that cannot be patched or operated securely.”

The cost of downtime adds another layer of financial strain. For large corporations, every minute of a system outage costs approximately $9,000, with 56% of that downtime originating from cybersecurity incidents. Astonishingly, 54% of executives confessed to deliberately leaving the root causes of downtime unresolved to avoid the expense of addressing their legacy system problems.

On average, organizations now require about seven months to fully recover their operations after a major incident. Those that underinvest in resilience measures take considerably longer. A stark illustration is the 2024 ransomware attack on Synnovis, which disrupted more than 11,000 patient appointments and is projected to result in costs exceeding $39 million.

(Source: HelpNet Security)