‘Stranger Things’ emerge when OT security is stuck in the past
The final season of “Stranger Things” is upon us, and 1980s nostalgia is at an all-time high. The clunky control panels at Hawkins Lab help set the stage for the show. The unfortunate reality is that similar legacy systems still exist in operational technology (OT) environments today. Just as Hawkins Lab spawned a monstrous compendium from the “Upside Down,” a variety of threats have burst forth from vulnerable devices.
Nation-state threats, such as Volt Typhoon, have established persistent access across critical infrastructure, including telecommunications providers. Most of these threats exploit common vulnerabilities and exposures (CVEs) in networking devices; no zero-day exploits are required.
Nostalgia for “the good old days” ignores how much progress has been made since then. From the Purdue Enterprise Reference Architecture (PERA) model of the 1990s to more timely guidance from the Cybersecurity and Infrastructure Security Agency (CISA), organizations have a script they can follow for critical infrastructure protection. Hopefully, this story has a happy ending.
All it takes is one open port
The Department of Defense (DoD) has increasingly been focused on bringing OT security up to par with IT security, noting the challenges legacy systems create with vulnerabilities, data integration and standards.
The challenge in securing critical infrastructure is multifaceted. Critical infrastructure environments tend to be complex and dispersed, including IT and OT networks across multiple physical locations. Digital transformation initiatives, such as industrial IoT and cloud computing, are often at odds with legacy systems, which were never intended to be connected to the internet or able to support modern cybersecurity controls.
One of the biggest reasons that organizations struggle with the cybersecurity of legacy systems is because OT environments tend to prioritize productivity. Even when patches are available for industrial systems, the patch management process is meticulous and methodical to ensure production is not interrupted.
However, many industrial control systems (ICS), SCADA systems and programmable logic controllers (PLCs) have been around for decades. These are systems that were expensive investments and cannot be easily replaced. Patches for many of these systems are no longer available. For example, even as IT environments are focused on Windows 10 migration today, there are still OT environments running Windows XP, which has not been patched in more than a decade.
Many legacy systems were never intended to be connected to the internet. However, digital transformation initiatives and IT/OT convergence have forced connectivity into these devices, leaving them exposed to attack. Consequently, legacy protocols like Modbus and DNP3, which lack encryption or authentication, become open avenues for lateral movement.
The empire strikes back
There are more advanced persistent threats (APTs) than there are sequels to Hollywood blockbusters. Just like most sequels, many of these threats return bigger and badder than their predecessors. For example, two of the most notorious APTs of the past few years are Volt Typhoon and Salt Typhoon.
Both Volt Typhoon and Salt Typhoon exploit CVEs in networking appliances to gain initial access. Once these threats establish initial access, they leverage living off the land (LOTL) techniques, such as using RDP and VPN access, to evade detection and modify access control lists to establish persistence.
In the case of Volt Typhoon, CISA advises organizations to prioritize patching critical vulnerabilities known to be exploited by the threat actor group and to plan for “end of life” technology, which is the epitome of legacy systems. In the case of Salt Typhoon, CISA advises organizations to continuously monitor for indicators of compromise (IOCs), such as suspicious changes to configurations.
These threats underscore the importance of having visibility into both the state of devices, such as their vulnerabilities, as well as network traffic, such as behavioral anomalies. Furthermore, organizations should be monitoring not just for IOCs, but for early warning signs, which are indicators of attack (IOAs).
Back to the future
Pop culture references to time travel tend to create a bit of a paradox, but organizations can review models and frameworks from the past and present to better understand how to secure legacy technology in OT environments.
In the 1990s, PERA, or the “Purdue Model,” was developed to explain how data flows across industrial systems. Just as threats evolve, so do these models. IEC 62443 is a common security framework (CSF) that builds upon the Purdue Model, providing a variety of best practices for protecting IT and OT networks in critical infrastructure environments.
Two of the biggest takeaways from the Purdue Model and IEC 62443 are an in-depth patch management process that validates the reliability of updates to critical systems and the importance of network segmentation and network isolation for critical systems that may not otherwise be able to be patched or protected.
More recently, in 2025, CISA published “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators.” According to CISA, threat actors exploit vulnerabilities, misconfigured protocols, insecure remote access points, weak authentication mechanisms and insufficient network segmentation to compromise critical infrastructure.
CISA advises organizations to develop asset inventories and taxonomies for their classification. In other words, visibility and context into the state of these devices.
Hindsight is 20/20
The problem with rose-tinted glasses is that you don’t notice red flags. Organizations should not let nostalgia for the past blind them to the reality they face today.
It is unrealistic to expect organizations to replace monolithic legacy systems that are central to their operations, but they do need to understand them.
