How Legacy CVEs Continue to Shape OT Security

In 2024, Palo Alto Networks analyzed exploit signatures and threat telemetry to understand a persistent challenge: why do adversaries continue to favor older vulnerabilities in operational technology (OT) environments? By examining CVE age, threat trends, internal traffic, and geolocation data, we’ve identified where risks concentrate and why they endure. These findings are critical—not just for security teams, but for the business continuity, safety, and regulatory health of the entire organization. The data reveals a clear path for how organizations must recalibrate their defenses to meet both persistent and evolving threats.

The Staying Power of Older Vulnerabilities

This year’s analysis reveals a striking reliance on "vintage" exploits. CVEs aged 6–10 years account for 48% of signature triggers—the single largest category of observed activity. While newer vulnerabilities (0–5 years) represent 26%, we still see significant activity (15%) targeting vulnerabilities that are 16–20 years old.

This distribution reflects the unique structural realities of OT. Extended lifecycles, narrow maintenance windows, and the absolute requirement for uptime often make immediate patching impossible. Consequently, vulnerabilities remain exploitable long after disclosure. Threat actors aren't necessarily looking for the "newest" door; they are looking for the ones they know are still unlocked.

The takeaway for CISOs: Vulnerability age does not equal risk reduction. In OT, legacy exposures remain active on the front lines. Managing this risk requires a shift in focus—prioritizing exploitability and asset criticality over simple patch recency.

Surging Detection Trends Signal Growing Pressure

Our 2024 data shows a marked acceleration in malicious activity, particularly in the latter half of the year. While detection volumes were relatively stable through Q1 and Q2, we observed a sharp surge beginning in the third quarter that continued through year-end.

Importantly, OT-directed threats are not just "noise" within general cyber activity; they represent a consistent and significant share of total detections. As overall global threats followed an exponential trajectory, the proportion targeting OT remained stable. This indicates that OT systems are a deliberate, primary target class for adversaries, rather than an opportunistic byproduct of wider campaigns. This trend reinforces the need for detection strategies that can scale with volume while remaining laser-focused on the IT–OT boundary.

Internal Traffic: A Shift in Attacker Objectives

When we look at traffic between private IP addresses, a clear divergence emerges between general IT threats and OT-specific attacks.

In the broader landscape, attackers prioritize data-rich targets like Financial Services (16.0%) and Wholesale & Retail (14.8%). However, when we isolate OT-targeted attacks, the focus shifts toward sectors where digital compromise causes physical or operational disruption. Insurance (13.2%) and Healthcare (12.4%) emerge as leading targets.

The intensity of these attacks is notable: Insurance environments, for instance, see an average of over one million attacks per affected firewall. Manufacturing remains a constant high-priority target (roughly 10% of attacks across both datasets), highlighting its dual exposure: the value of intellectual property and the high cost of operational downtime. For security leaders, this clarifies the motive: OT risk is increasingly about disrupting resilience and safety, not just stealing data.

The Geography of Defense

Geographic analysis shows a heavy concentration of activity in the United States, which remains the primary hotspot for both general and OT-specific threats. This likely reflects the high density of critical infrastructure and high-value industrial assets within North America.

While these detections don't necessarily pinpoint the origin of the attacker, they do highlight where the "operational effort" of adversaries is focused. Organizations operating in these high-density regions must align their security investments with this measurable reality, acknowledging that in OT, an attack’s consequence often outweighs its complexity.

Strategizing for the Long Haul

These findings move OT security out of the "niche technical" category and into the center of enterprise risk management. To protect business continuity, several strategic shifts are required:

• Embrace Compensating Controls: Since legacy CVEs remain active, segmentation and exposure management are as vital as patching.
• Scale for Volume: Increasing threat trajectories demand automated, scalable detection and response.
• Prioritize Resilience: Move beyond data-protection mindsets toward models that value operational continuity and safety.

By aligning vulnerability management and network architecture with these observed behaviors, security leaders can move from a reactive posture to one of grounded, proactive resilience.

Download the full report: Intelligence-Driven Active Defense 2026.