In the rush to embrace digital transformation, legacy Operational Technology (OT) and the Industrial Internet of Things (IIOT) have become many companies’ Achilles’ heel. With these legacy OT systems now connected to IT systems they were never designed to interact with, they are exposed to a broader range of attack surfaces and an increased risk of cyberattacks.
For critical sectors like energy, utilities, manufacturing, healthcare, and transportation, breaches could result in service outages, reputational damage, regulatory penalties, or, worse, impact to or loss of life.
With new regulations like NIS2 (which came into effect for firms operating in the EU in October 2024), this is a critical time to re-evaluate your approach to cybersecurity.[i] In fact, a survey by Cisco found that 89% of all organisations label OT security as either very or extremely important to their overall security posture.[ii]
So, how can organisations secure these outdated OT/IIOT systems while embracing the upsides of digitalisation?
Vulnerability of legacy OT systems
The expanding attack surface brought about by digitalisation has become a critical challenge for organisations that depend on OT systems. This applies to systems ranging from SCADA (Supervisory Control and Data Acquisition), or Distributed Control Systems (DCS), to Programmable Logic Controllers (PLC).
The challenge? Many OT environments were designed in an era when air-gapped systems (isolated from the internet) were the primary form of defence. Now, as companies connect OT to IT networks to enable remote monitoring, predictive maintenance, and automation, these previously isolated systems are exposed to modern cyber threats, unearthing vulnerabilities historically unseen.
Legacy SCADA systems from the 1990s, for instance, were not designed to withstand remote code execution attacks through vulnerable interfaces, or to manage the risks associated with third-party software supply chains. When connected to a corporate IT network without proper segmentation and effective security controls, these vulnerabilities can provide attackers with direct access to critical infrastructure.
Attacks on critical infrastructure
Consider healthcare as an example. Many systems, including medical device networks, building management systems (BMS), and industrial control systems (ICS), have weak or non-existent security controls. If a malicious actor was able to access a connected infusion pump and adjust dosage settings, or a BMS to disable power or ventilation, they might be able to harm patients or disrupt critical care services. This poses a threat to health and safety — even a threat to life. In some industries, this downstream effect takes OT security from being a purely operational IT problem to a high-level strategic board issue.
This is already happening at scale in countries like Ukraine. In 2024, analysts uncovered malware used to target ICSs in a heating utility in Lviv, Ukraine. The attackers exploited the Modbus protocol to disable service to 600 buildings for around 48 hours.[iii] These aren’t hypothetical risks; attackers are already testing and refining their methods. The question is whether your organisation presents a more attractive target than your competitors when attackers come looking
The gap between perceived and actual security effectiveness
Many organisations overestimate their cybersecurity readiness. They assume that compliance with standards like ISO certifications or box-ticking regulatory audits means they’re safe. But such certifications do not guarantee that systems can withstand real-world attacks.
In the cybersecurity industry, threats evolve and new vulnerabilities are exposed daily. If you’ve only had an audit every year, your SOPs are likely outdated. Regularly reviewing and testing ‘what-if’ scenarios ensures your playbooks and SOPs stay up to date, and ensures your teams’ crisis responses become muscle memory.
But even the most well-rehearsed response plans won’t be effective if you’re blind to the risks your organisation is facing. At the lowest level, security boils down to two fundamental considerations: visibility, and understanding of the environmental context and the risks being managed. The reality is that many organisations lack effective enterprise understanding of both.
Many legacy devices have weak access controls and communicate using unencrypted—or weakly encrypted—protocols, often without any active monitoring of who is accessing them and when. In response, a range of next-generation regulations like NIS2 are emerging to directly tackle these blind spots, aiming to enforce stricter controls by default and eliminate the guesswork in securing critical systems.
The role of NIS2
The NIS2 Directive, part of the EU's cybersecurity strategy, represents a significant shift in the regulatory landscape. NIS2 builds on the framework established by its predecessor with the aim of establishing a common baseline for cybersecurity across all Critical National Infrastructure (CNI). To do so, it adds additional controls to address gaps in the current regulatory position.
While NIS2 doesn’t automatically apply to UK-based businesses, it will likely impact UK subsidiaries of EU companies and third-country suppliers that serve EU customers. The UK now has the Cyber Assessment Framework (CAF), and CNI businesses are being driven towards the application of eCAF. The link between NIS/NIS2 & CAF/eCAF is complementary for UK business and will continue to evolve in maturity over the coming years.
Furthermore, global regulators—including those in the UK—are likely to follow suit if the NIS2 directive proves successful in reducing incidents. It required EU Member States to transpose its measures into national law by 17 October 2024, and mandates several key elements:
- Corporate accountability: Boards must approve and oversee cybersecurity risk management measures, with management bodies now personally liable for breaches.
- Reporting obligations: Essential and important entities must have processes in place for prompt reporting of security incidents that have a significant impact on their service provision or recipients.
- Supply chain security: Companies must ensure third-party vendors meet strict cybersecurity standards.
NIS2 follows an increasing global trend of similar, higher-bar security regulations. The EU’s Digital Operational Resilience Act (DORA) applies similar principles to financial services. Meanwhile, in the UK, the Telecommunications (Security) Act 2021 enforces a range of increasingly stringent security standards across the UK telco industry, and we are already seeing non-UK telco businesses considering aligning with it.
Governments and regulators have found that, without increasingly heavy regulation, organisations and businesses have not been acting effectively on ever-growing cyber threats and their impact. Many executives have explained to us that, “we haven’t had a major breach yet.” This type of mindset needs to change, otherwise there is likely to be an increasing push for more rigorous regulations to protect both businesses and any downstream harm to country-level GDPs.
Relevant cybersecurity frameworks for OT security
Beyond the laws and regulations, various cybersecurity frameworks are also gaining prominence, for example:
- The National Cyber Security Centre (NCSC)’s Cyber Assessment Framework (CAF), adopted by Ofgem, outlines cybersecurity requirements for the UK's electricity and gas sector.
- International standards such as ISO 27001 and IEC 62443 provide best practices for securing industrial control systems (ICS) and ensuring cybersecurity throughout the device lifecycle: from development to deployment.
- The NIST Cybersecurity Framework (CSF) is a widely recognised, risk-based approach to managing cybersecurity threats that can be applied across all industries, with particular relevance for critical infrastructure sectors.
According to these regulations and frameworks, reactive cybersecurity is no longer good enough. Proactive measures, supported by board-level oversight, are now a mandatory practice.
Shifting to an active OT security mindset
We can broadly categorise organisations into two groups. The first includes CNI firms, such as energy, utilities, and transportation, which are subject to strict security mandates from regulators like Ofgem due to the high risk to life.
The second group is far larger, covering industries like manufacturing, logistics, pharmaceuticals, and food production. These firms often lack OT security expertise and rely on IT teams and processes to manage their OT environments. But IT-centric incident response plans rarely account for OT’s unique challenges, from legacy systems to real-time controls, meaning they often fall short when a crisis hits.
Regardless of which group an organisation falls into, bridging the gap between perceived and actual security requires a shift in mindset. This means moving beyond passive defences to actively hunt for vulnerabilities and assume that breaches are inevitable. Key strategies include:
- Segmentation: Isolating OT systems from IT networks to limit lateral movement during an attack.
- Asset Discovery and Visibility: Identifying and mapping all devices in the OT network, including legacy systems often overlooked in inventories. Determine the number and type of assets, and evaluate which are the most important.
- Realistic Risk Assessment: Prioritising vulnerabilities based on potential impact, not just theoretical likelihood.
- Incident Response Planning: Preparing for worst-case scenarios with robust business continuity and disaster recovery plans in place. IT processes don’t easily map onto OT, so prepare for a different, more specialised approach.
Effective preparation is not about eliminating risk - it’s about minimising the damage when the inevitable happens.
A holistic approach to securing legacy systems
NTT DATA helps organisations navigate these challenges by combining our deep domain expertise across IT, OT, and cybersecurity. Our holistic approach focuses on:
- Executive Security Leadership and Education: From delivering virtual CSO and CISO services and providing training and coaching for boards and executives, to helping executives shape and form their security strategies, NTT DATA can offer a wealth of experience for our clients to leverage.
- Visibility and Risk Assessment: We provide end-to-end visibility into OT environments through comprehensive security assessments and vulnerability management. This includes identifying gaps in access controls, communication protocols, and legacy systems, which are often overlooked in traditional IT processes.
- Regulatory Compliance and Standards Alignment: We ensure your OT environments are aligned with global standards like ISO 27001, IEC 62443, and the NIST Cybersecurity Framework (CSF). Our gap analysis services highlight where your controls need improvement to meet regulatory requirements like NIS2.
- Proactive Defence and Incident Response: Our Breach and Attack Simulation (BAS) and ICS/OT penetration testing services validate your defences, uncover vulnerabilities, and improve your ability to detect and respond to evolving threats before they can disrupt operations.
- Architecture and Risk Management: We help organisations secure their OT architecture by evaluating system integration between IT and OT, identifying weak points in design, and providing actionable recommendations to strengthen resilience.
A major challenge for many organisations is accessing specialists in niche areas such as industrial cybersecurity or cloud security. With our experience and broad range of skills, we help clients ensure their security strategies are both thorough and adaptable to evolving risks.
To learn more about securing your OT systems and improving resilience to evolving threats, schedule a 45-minute consultation with NTT DATA’s cybersecurity experts.