The Machines That Run the World Are Running Decades-Old Software

Industrial control systems keep factories, water plants, and power grids alive. They also run code written before Wi-Fi existed. Fixing that is harder than it sounds.

ThreatVectr Newsdesk· 3 min read
Aerial view of a large industrial fuel storage facility at dusk, rows of cylindrical metal tanks reflecting low amber light, pressure gauges and pipe networks v
Share

Key points

  • Operational technology (OT) systems, meaning the computers that physically control industrial machinery, commonly run software that is ten to thirty years old.
  • Patching or updating these systems often requires shutting down the very infrastructure they control, making fixes genuinely dangerous to apply.
  • A flaw disclosed in an OT product can sit unpatched for months or years because no safe maintenance window exists.
  • Security researchers, vendors, and plant operators frequently disagree on when and how to publish details of a vulnerability, leaving everyone exposed in different ways.

Picture the computer that controls the valves at your local water treatment plant. It probably runs the same software it shipped with in the early 2000s. Nobody has updated it because updating it means turning off the water.

That is the core problem with OT security, where OT stands for "operational technology," meaning the computing systems that physically move things: turbines, pumps, conveyor belts, railway signals. Unlike the laptop you can reboot in thirty seconds, an OT system is stitched directly into a physical process. Stopping it to install a security patch can mean stopping production, cutting power, or worse.

SecurityWeek has been covering the growing tension around how these vulnerabilities should be handled, and the short answer is: nobody has fully figured it out yet.

Why is patching an industrial computer so difficult?

It is difficult because the patch and the danger arrive together. A software update that would close a security hole in a factory control system might require the machine to restart. Restarting a blast furnace controller or a hospital's building management system is not like rebooting your phone. It can take hours, require specialist engineers on site, and carry real physical risk if anything goes wrong during the process.

So plants delay. Sometimes by months. Sometimes by years. During that window, a known, publicly documented flaw sits open and reachable.

That creates an awkward standoff over vulnerability disclosure, which is the practice of telling the public that a security flaw exists. Tell too much, too soon, and criminals get a roadmap to attack a water plant before operators can do anything about it. Tell too little, too late, and operators do not even know they are at risk.

Neither option is comfortable.

Legacy hardware makes it worse. Many OT devices run software their original makers no longer support, meaning no patch will ever come. Operators are left choosing between running an exposed system indefinitely or ripping out equipment that might be holding up a production line worth millions.

For ordinary people, the stakes are concrete: a compromised power grid means no electricity; a hijacked water system means contaminated tap water. These are not abstract worst cases. Both have happened, in real incidents, in recent years.

If you work in facilities management, manufacturing, or utilities, the practical step right now is knowing which of your control systems last received a security update, and flagging the oldest ones to whoever manages your IT and engineering teams. That conversation is overdue at most organisations.

© 2026 Threat Vectr