A Guy Who Wrote the Code Died in 2005. I Still Have to Secure It

CYBER RISK COMMENTARY Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts. A Guy Who Wrote the Code Died in 2005. I Still Have to Secure It The real front line of American cybersecurity is a bidding war on eBay for 30-year-old industrial controllers. Chuck Everette,Field CISO Advisor,ESET March 11, 2026 4 Min Read SOURCE: MASKOT VIA ALAMY STOCK PHOTO COMMENTARY If you walk the expo floors at any of the Black Hat or RSAC conferences, the industry tells you the future is here. It's all quantum-resilient encryption, AI-driven security operations centers, and cloud-native architectures. Then I go back to my day job. With over 20 years of experience spanning federal government, private manufacturing, and enterprise security, I've seen the industry from every angle. In my current dual roles — advising Fortune 100s as a field CISO and protecting a major US city as a sitting practitioner — I spend half my time discussing the "cutting edge" and the other half defending the "rusting edge." The dirty secret of critical infrastructure and American manufacturing isn't that we are "behind" on patching. It's that we are running the backbone of our economy on systems where "patching" is physically impossible. I’m talking about operational technology (OT) and programmable logic controllers (PLCs) running on Windows 95 or custom DOS kernels. I'm talking about controllers where the vendor dissolved 20 years ago, the source code was lost in a merger, and the engineer who hard-coded the logic died in 2005. Related:A CISO's Playbook for Defending Data Assets Against AI Scraping There is no toll-free support number. There is no GitHub repository. There is just a blinking green light that we pray never turns red. The Physics of Patching This isn't a case of laziness. It's a case of physics and capital expenses. In the IT world, when a server reaches its end of life, you spin up a new virtual machine. In the OT world, that "server" is a PLC physically cemented into the power plant's foundation or hardwired into the chassis of a hydraulic press. Replacing that $5,000 controller doesn't cost $5,000. In manufacturing: It means halting a production line that generates $50,000 an hour to rip out and rewire the "nervous system" of the factory floor. In utilities: It means using heavy cranes to hoist out a turbine generator installed before the Internet existed. In municipalities: It means digging up a major city intersection to reach a sewage lift station buried 20 feet underground. I've seen upgrade quotes for a single manufacturing line hit $10 million — not for the hardware, but for the construction, recertification, and downtime required to install it. So the CFO says "no." And the CISO is told to "make it work." The 'eBay Supply Chain' This leads to a reality that would terrify the average consumer: the eBay supply chain. I have personally helped manufacturing and municipal clients scour eBay for specific control modules that haven't been manufactured since the Clinton administration. We aren't looking for antiques; we are looking for the specific I/O cards needed to keep the water running or the assembly line moving. Related:How Can CISOs Respond to Ransomware Getting More Violent? I know of clients who actively monitor bankruptcy filings to scavenge parts. When a factory shuts down, they buy up the legacy controllers, refurbish them, and put them into cold storage. We are cannibalizing the past to survive the present. Securing the Unsecurable We are tasked with securing this "zombie" infrastructure against nation-state actors armed with modern weaponry. We cannot install modern endpoint detection and response agents on these PLCs. They would crash the kernel. We cannot scan them for vulnerabilities. A simple nmap scan can knock a legacy SCADA system offline. We are forced to build a digital fortress around a corpse. Here is how we do it in the real world: "Digital concrete": True segmentation VLANs are not enough. If your legacy OT network can "talk" to the corporate IT network via a simple rule, you have already lost. I advise clients to use "digital concrete," strict, hardware-based firewalls, or data diodes that allow traffic to flow in only one direction. The OT network should appear as a black hole to the outside world: Telemetry comes out, but nothing goes in. Monitoring the wire, not the endpoint: Since we can't put an agent on a 30-year-old controller, we have to watch the wire. We use passive network monitoring to establish a baseline for "normal." If a PLC that has spoken to the same internal IP address for 15 years suddenly tries to talk to a server in a different subnet, that is your alarm. Physical security is cybersecurity: When digital locks fail, physical locks must hold. I've seen assessments where we bypassed a $1 million firewall by walking into an unlocked utility shed and plugging a Raspberry Pi into a switch. If you are running legacy gear, your physical perimeter with fences, locks, and cameras becomes your primary firewall. Related:2025 Was a Wake-up Call to Protect Human Decisions, Not Just Systems Reality Check We need to stop shaming organizations for having legacy tech and start helping them secure it. The water pump down the street from your house, the factory making your car parts, and the grid powering your office are likely relying on the eBay supply chain. We cannot patch our way out of this. The guy who wrote the code is gone. The vendor is bankrupt. The hardware is obsolete. But the mission — keeping the lights on and the water clean — remains. As security leaders, our job isn't to complain about the rust. It's to make sure the rust doesn't become a breach. About the Author Chuck Everette Field CISO Advisor, ESET Chuck Everette serves as the field CISO advisor for ESET, the contracted CISO for the City of Fort Lauderdale, and is the owner of Mimic Cyber Solutions. This article was written in a personal capacity. The opinions expressed here are his own and do not represent the views, strategies, or opinions of these organizations. No statement should be construed as an official endorsement or professional guidance on behalf of the aforementioned entities.   More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBER RISK Why Data Privacy Isn't the Same as Data Security by Chris Borkenhagen APR 10, 2025 CYBER RISK Nation-State Groups Abuse Microsoft Windows Shortcut Exploit by Alexander Culafi, Senior News Writer, Dark Reading MAR 19, 2025 Latest Articles in The Edge THREAT INTELLIGENCE Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 MAR 16, 2026 THREAT INTELLIGENCE The Data Gap: Why Nonprofit Cyber Incidents Go Underreported MAR 13, 2026 CYBER RISK Cyberattackers Don't Care About Good Causes MAR 13, 2026 CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans MAR 12, 2026 Read More The Edge Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security