Securing Legacy OT in a Hyper-Connected World

The programmable logic controller running your water treatment plant may be older than some of your employees. The SCADA system monitoring your pipeline was likely designed when “network security” meant locking the server room door. And the human-machine interface controlling your power substation could be running on an operating system that Microsoft stopped supporting years ago.

These systems were engineered for decades of reliable operation, built to withstand physical stress, not cyber threats. They were designed for isolation—air-gapped from corporate networks, disconnected from the internet, and protected by obscurity. However, that isolation is now just a memory.

Digital transformation has reached control rooms and substations across every critical infrastructure sector. Remote monitoring, predictive maintenance, cloud-based analytics, and resource planning integrations have delivered real operational efficiencies. But every connection that enables a technician to check system status from home also creates a potential pathway for adversaries to reach systems that weren’t designed to defend against modern threats.

How Nation-State Actors Target Critical Infrastructure Networks

Chinese state-sponsored actors known as Volt Typhoon have been pre-positioning themselves within U.S. critical infrastructure networks, from communications to energy, transportation, and water systems—ready for potential disruption or destruction in the event of a major conflict. They conduct extensive reconnaissance, learn organizational workflows and schedules, and use “living off the land” techniques—legitimate administrative tools already present on systems—to avoid detection. They’re not smashing through defenses. They’re slipping through the gaps where IT and OT environments connect.

The Colonial Pipeline attack in May 2021 demonstrated what happens when adversaries reach these systems. Colonial shut down its 5,500-mile system as a precaution, because the company did not yet know the scope or point of origin of the intrusion and wanted to prevent any spread into OT. Fuel shortages followed across parts of the East Coast, with many stations reporting outages. Federal regulators invoked emergency measures to ease fuel transport in affected states. Subsequent reporting and testimony indicate the initial access involved a legacy VPN account protected by only a password (no multi-factor authentication).

Why Legacy OT Security Is So Difficult

Legacy OT environments present security challenges that standard IT approaches simply don’t address. A 20-year-old PLC doesn’t accept patches. Industrial protocols like Modbus and DNP3 were designed for efficiency and reliability, not authentication or encryption. Some control systems run on operating systems that haven’t been supported in a decade—but replacing them means replacing the physical equipment they control, at costs that can far exceed budgets.

Then there’s the fundamental priority clash. In IT environments, the traditional security triad prioritizes confidentiality—protecting data from unauthorized access. In OT environments, availability and safety are paramount. A security scanner that crashes a workstation is an inconvenience. A security scanner that crashes a PLC managing chemical injection rates is a safety incident. Security teams accustomed to aggressive vulnerability scanning, regular patching, and rapid incident response find themselves unable to apply their standard playbook without risking the very systems they’re trying to protect.

The convergence of IT and OT has compounded these challenges. Organizations that once maintained strict separation between corporate networks and control systems have introduced connections for operational efficiency. Engineers can now access HMIs remotely. Historians send process data to enterprise analytics platforms. Each integration increases visibility and capability—and each one expands the attack surface that adversaries like Volt Typhoon are actively mapping.

Using Cyber Ranges to Test OT Defenses

Regulatory frameworks establish baseline expectations for critical infrastructure cybersecurity. But compliance alone establishes what organizations must do, not whether their defenses actually work. The only way to know if your detection capabilities catch adversarial techniques, if your team can respond effectively under pressure, and if your controls hold up against realistic attack patterns is to test them.

This is why realistic cyber ranges are now essential for securing critical infrastructure. A cyber range that accurately replicates your OT environment—including the legacy systems, the proprietary protocols, and the actual security tools you’ve deployed—allows you to test defenses without risking production. You can validate that your detection capabilities catch adversaries’ techniques. You can train operators on incident response in an environment where mistakes create learning opportunities, not safety incidents. You can test patches and configuration changes before they reach live systems.

But fidelity matters. A range built on generic simulations won’t reveal whether your specific SCADA implementation is vulnerable to a specific attack technique. A tabletop exercise won’t tell you whether your SOC can actually detect lateral movement through your industrial protocols. The only way to know if your defenses work is to test them against realistic attacks in a realistic environment.

Three Keys to Effective OT Security Testing

Building an environment realistic enough to generate meaningful results requires far more than spinning up virtual machines. Effective OT security testing demands:

• Accurate replication of your OT environment. The range must replicate the actual protocols, tools, and complexity of production OT environments. That means supporting legacy operating systems and specialized firmware that most virtualization platforms simply can’t accommodate.

   

• Realistic attack emulation. Testing demands adversary techniques that mirror what Volt Typhoon and similar actors actually do, not simplified red team exercises. It requires realistic background traffic so defenders learn to distinguish malicious activity from normal operations. And it calls for integration with the actual security stack deployed in production, so detection gaps discovered in testing reflect those that exist in the real environment.

   

• Deployment flexibility. Many OT environments can’t depend on public cloud infrastructure for security-critical testing. The cyber range environment needs to match production constraints—which often means on-premises or hybrid deployment options that keep sensitive environment replicas under organizational control.
  

SimSpace’s cyber range platform addresses these requirements through a multi-layered approach to OT fidelity, combined with flexible deployment models that support on-premises, hybrid, and SaaS configurations. Organizations can run realistic attack scenarios while their actual security tools process events, generating quantifiable metrics on detection times, response effectiveness, and coverage gaps.

To see how SimSpace can help your critical infrastructure organization validate OT defenses without risking production systems, schedule a demo.