Full Report
More than three-quarters of utilities organizations were hit by cyber attacks involving outdated software or unavailable patches on legacy equipment over the last year. At 77%, it was the most common type of cyber incident facing the sector, according to Bridewell’s Cyber Security in Critical National Infrastructure Report 2026. And the most common effect was IT disruption or outages,…
Analysis Summary
# Vulnerability: Systematic Exploitation of Legacy Utility Infrastructure
## CVE Details
- **CVE ID:** N/A (General systemic risk involving multiple undisclosed vulnerabilities)
- **CVSS Score:** High/Critical (Aggregated impact)
- **CWE:** CWE-1104 (Use of Unmaintained Third-Party Components), CWE-1392 (Use of Legacy Software/Hardware)
## Affected Systems
- **Products:** Legacy Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) equipment, and outdated IT infrastructure within the utilities sector.
- **Versions:** End-of-Life (EOL) and End-of-Support (EOS) versions lacking security patches.
- **Configurations:** Systems integrated into Critical National Infrastructure (CNI) where hardware cannot be easily updated or replaced without significant service interruption.
## Vulnerability Description
The vulnerability is not a single software flaw but a systemic reliance on "legacy kit" and outdated software. According to Bridewell’s 2026 report, 77% of utilities organizations are vulnerable due to unpatched or unpatchable legacy equipment. These systems often lack modern security protocols (such as encryption and robust authentication) and remain operational long after vendor support has ceased, creating a permanent attack surface for threat actors.
## Exploitation
- **Status:** Exploited in the wild (Reported as the most common incident type in the sector over the last year).
- **Complexity:** Medium (Often involves exploiting known, older vulnerabilities for which public scripts or tools exist).
- **Attack Vector:** Network (Primarily through lateral movement from IT to OT environments).
## Impact
- **Confidentiality:** Moderate (Access to utility grid telemetry and sensitive infrastructure data).
- **Integrity:** High (Risk of unauthorized control over physical equipment).
- **Availability:** High (Reported in 47% of incidents; results in significant IT disruptions and outages).
## Remediation
### Patches
- While specific patches vary by vendor, the report highlights that patches are frequently **unavailable** for this specific category of equipment.
- Immediate action: Upgrade EOL software to currently supported versions where applicable.
### Workarounds
- **Network Segmentation:** Implement strict "air-gapping" or hardware-enforced unidirectional gateways between legacy equipment and the public internet.
- **Virtual Patching:** Use Intrusion Prevention Systems (IPS) to block known exploits targeting legacy signatures at the network level.
- **Zero Trust Architecture:** Limit access to legacy workstations using strict identity and access management (IAM) controls.
## Detection
- **Indicators of Compromise:** Unusual communication patterns from legacy PLCs (Programmable Logic Controllers), unauthorized remote access attempts on legacy ports, and unexpected system reboots.
- **Detection methods and tools:**
- Deployment of OT-specific Network Detection and Response (NDR) tools.
- Continuous monitoring of legacy traffic for signatures related to old CVEs.
## References
- Bridewell’s Cyber Security in Critical National Infrastructure Report 2026
- hXXps://threatbeat[.]com/critical-infrastructure/legacy-kit-behind-vast-majority-of-cyber-attacks-on-utilities/
- hXXps://www[.]itpro[.]com/security/legacy-kit-behind-vast-majority-of-cyber-attacks-on-utilities/