What is the best security strategy for legacy devices that can't be replaced?

The standard strategy is: isolate (segment the device into its own zone with strict access controls), restrict (enforce least-privilege communication policies so the device can only reach what it legitimately needs), monitor (apply enhanced behavioral monitoring with immediate alerting on any deviation), and document (maintain formal risk acceptance records and review them periodically). None of these strategies eliminates the risk; they collectively contain and monitor it.

Definition

Legacy Device

A device running unsupported hardware, firmware, or software that cannot be patched or updated. Extremely common in healthcare and manufacturing, where segmentation compensates when remediation is impossible.

What is Legacy Device?

A legacy device is a device running hardware, firmware, or software that is no longer supported by its manufacturer — meaning no more security patches, no more bug fixes, and no vendor response to newly discovered vulnerabilities. Legacy devices are pervasive in healthcare, manufacturing, critical infrastructure, and building systems: environments where equipment investment cycles are measured in decades rather than the 3–5 year IT hardware refresh cycles.

The security implications of legacy devices are distinctive. A legacy Windows XP workstation in a hospital may have dozens of unpatched vulnerabilities, none of which will ever receive a patch. A 20-year-old PLC in a refinery runs firmware that was never designed with security in mind and receives no updates. These devices don't just represent deferred risk — they represent permanent, compounding risk that grows as new vulnerabilities are discovered and no remediation is available.

The operational reality is that many legacy devices cannot be replaced on any reasonable timeline. Replacing a medical imaging system requires capital budget approval, regulatory considerations, clinical workflow changes, and extensive validation testing. Replacing a legacy DCS in a running refinery may require a planned multi-week shutdown. Legacy device risk management is therefore a permanent operational challenge, not a temporary technical debt to be eliminated.

Key Facts

Over 70% of active medical devices in hospitals run software past its vendor end-of-support date
Windows XP, end-of-support since April 2014, remains in active use on medical devices and OT systems
Legacy OT devices may be 20–40 years old and will never receive security patches
Compensating controls for legacy devices reduce breach probability by 60–75% even without patching

How ORDR Addresses Legacy Device

ORDR identifies legacy devices in the environment by tracking firmware versions, OS versions, and vendor end-of-support dates. Legacy devices are flagged in the risk dashboard with their specific vulnerability exposure. For devices that cannot be replaced, ORDR generates compensating control policies — segmentation, access restriction, enhanced monitoring — that reduce risk without requiring device replacement.

See ORDR in action

Frequently Asked Questions

Back to Glossary

See Legacy Device in practice.

ORDR gives security teams complete visibility into every connected asset—and the intelligence to act on what matters most.

REQUEST A DEMO Explore Resources