Dealing With Legacy Systems That Cannot Be Easily Patched or Upgraded.
A Donegal food processing company ran their production line management system on a Windows Server 2008 machine that had been end-of-life since 2020. The system controlled specialist manufacturing equipment whose vendor had ceased trading. The software would not run on a newer operating system. Upgrading the production equipment to use a supported system would cost an estimated €180,000 and require a two-week production shutdown.
The system stayed. Unpatched. Connected to the production network. For four years.
This is not negligence — it is a genuine business constraint that many Irish SMEs face. The question is not whether the legacy system should be replaced. The question is how to manage the security risk of a system that cannot currently be replaced.
What Makes Legacy Systems a Security Risk
An unpatched system accumulates known vulnerabilities over time. Each security update that is not applied leaves a known weakness that attackers can exploit using publicly available tools. A Windows Server 2008 system has thousands of known, published, exploitable vulnerabilities — many of which have working exploit code available on the internet.
The risk is compounded by the typical placement of legacy systems on internal networks. A legacy production system connected to the same network as office computers and file servers provides attackers who reach that network segment with a straightforward stepping stone to higher-value systems.
The Compensating Controls That Reduce Legacy Risk
When a system cannot be upgraded, security can still be improved through controls applied around the system rather than to it.
Network isolation. Move the legacy system onto a dedicated, isolated network segment with no direct connectivity to the production office network or internet. All required communications between the legacy system and other systems should pass through a firewall with explicit, minimal rules. The food processing company above needed their production system to communicate with one specific server for data export. That one permitted connection can be firewall-allowed; everything else blocked.
Restrict access to the system. Limit which devices and users can connect to the legacy system. If only three people need to log into a production control system, only those three people's devices should be able to reach it over the network — controlled at the firewall level.
Monitor closely. Legacy systems that cannot be hardened should be monitored more intensively, not less. Any unusual connection attempts to or from the legacy system, any access outside normal hours, any new processes executing — these should generate alerts. Network-level monitoring tools that do not require an agent on the legacy system can provide this visibility without requiring software changes.
Compensating endpoint controls where available. Some legacy systems can still run older versions of endpoint security software. While these do not provide the same protection as current tools, they provide some detection capability. Where the operating system supports it, enable the host-based firewall. Disable all unnecessary services and open ports.
Document the risk formally. The decision to continue operating a legacy system should be documented as an accepted risk — with the business justification, the compensating controls in place, and a review date. This documentation protects the business in the event of a regulatory enquiry or insurance claim, and creates accountability for reassessing the risk as circumstances change.
Do you have a documented record of every system in your environment that is running end-of-life software? If not, the risk exists but is unmanaged — which is a materially worse position than a risk that is identified, documented, and mitigated. Book a free 20-minute strategy call — legacy system risk management is a recurring theme in our SME advisory work across Donegal and the North-West.
Planning the Upgrade Path
Compensating controls reduce legacy risk — they do not eliminate it. The longer a system operates beyond its supported lifecycle, the greater the accumulated vulnerability burden and the greater the probability of a successful exploit.
Every legacy system in your environment should have a documented upgrade path and a target date — even if that date is three years away. The documentation forces the conversation about cost, timeline, and business disruption to happen on a planned basis rather than in response to an incident.
For systems whose vendor has ceased trading, the upgrade path may require replacement of the associated hardware or production equipment — a significant capital investment. This investment should be included in the business's technology roadmap and presented to management with the risk cost of delay: what would a successful ransomware attack that enters through this legacy system cost the business?
Windows Server 2016: The Upcoming Irish SME Problem
As covered in a separate piece on this site, Windows Server 2016 reaches end of support in January 2027. Many Irish SMEs are currently running Server 2016, making this a near-term legacy risk requiring planning now [^1].
What Next
Identify every end-of-life system in your environment. Include operating systems, applications, and firmware. Check support dates at endoflife.date.
Isolate the highest-risk legacy systems on separate network segments. Work with your IT provider to remove direct connectivity between legacy systems and your main production network.
Document each legacy system as a formal accepted risk with compensating controls and a review date. The documentation itself is a security control — it creates accountability and drives the upgrade conversation.
Ready to find out exactly where your business stands? Book a free 20-minute strategy call at www.pragmaticsecurity.ie/book-a-call.
Related Reading
- Windows Server 2016 End of Support: What Irish SMEs Must Do Now
- Segmenting Critical Systems to Limit Damage From Malware
- Prioritising Security When Budgets Are Tight
[^1]: Microsoft — Windows Server 2016 End of Support [^2]: NCSC Ireland — Patch Management Guidance [^3]: An Garda Síochána — National Cyber Crime Bureau
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.
