A Cisco-funded study finds aging and unpatched systems permeate critical sectors—healthcare, energy, water, manufacturing and finance—in the US, UK, France, Germany, and Japan, with high stakes shown by US federal IT spend largely covering legacy upkeep and EU breaches frequently exploiting known vulnerabilities.

The piece argues that end-of-life technology in critical infrastructure is a growing, underappreciated cyber risk that demands urgent action and policies to shift from reactive to proactive risk management.

Downtime costs are heavy, with minutes of outages causing substantial losses, and more than half of such incidents tied to cybersecurity events as some leaders resist addressing root causes to curb legacy-system costs.

A real-world example—the 2024 Synnovis attack—disrupted over 11,000 patient interactions and cost more than $39 million, illustrating how aging IT directly harms essential services.

Water and energy sectors remain targets of state-backed groups seeking long-term access, with past warnings like Volt Typhoon signaling ongoing risk to these networks.

Readers are directed to the Update Critical report, which contains data, methodologies, and detailed recommendations for governments and private sector leaders.

Cisco emphasizes its commitment to secure, resilient infrastructure and urges decommissioning insecure, outdated tech while enhancing security features as part of broader resilience efforts.

Policymakers and operators are urged to implement live asset registers, perform lifecycle assessments with clear replacement or mitigation timelines, improve incident reporting for end-of-life breaches, and reform IT funding toward flexible models to enable timely upgrades.

Contextualized within Critical Infrastructure Security and Resilience Awareness Month, the report ties obsolete technology to risks in AI/quantum-enabled infrastructure and citizen safety.

Technical debt is a major national burden, with the US spending about $100 billion on IT and cybersecurity in 2023, roughly $80 billion of which went to maintaining legacy systems, a pattern echoed in the UK.

Healthcare is the most exposed sector globally due to life-critical services, device interconnections, long refresh cycles, and sensitive data, including examples like Windows 7 usage in a significant share of French hospitals in 2022.

The report highlights the global rise of aging, unsupported technology in critical infrastructure and its implications for resilience and security.

A path to resilience emphasizes lifecycle visibility, risk-based budgeting, and clear management requirements to shift from reactive incident response to proactive risk reduction, especially for AI and quantum-era infrastructure.

Unpatched or edge-located systems remain a major vector for breaches, underscoring that patches alone are insufficient when legacy systems are not actively maintained.

The Cisco-backed study ranks risk exposure by country, with the UK leading in risk due to concentrations of unsupported systems and critical sectors, followed by the US, Germany, France, and Japan.