A new report by WPI Strategy, commissioned by Cisco, quantifies the cybersecurity risk posed by End-of-Life technology across Critical National Infrastructure. The findings are stark: the United Kingdom carries the highest relative risk score of any country assessed. For organisations responsible for essential services, the implications demand immediate attention.
The Scale of Technical Debt
End-of-Life technology is hardware or software that can no longer receive security patches from its vendor. It is not merely old. It is indefensible. Once a vendor withdraws support, every newly discovered vulnerability becomes a permanent, unfixable exposure. There is no remediation pathway. There is no workaround. The system is, by definition, compromised from the moment a threat actor identifies its weakness.
Industry estimates suggest that globally, almost half of all business network assets are ageing or obsolete. In the United Kingdom, 228 legacy IT systems were identified across government departments in 2024, with more than one in four rated as high risk for operational and security failures.
£4.7 billion — the planned UK government IT budget in 2019, of which nearly half was consumed simply keeping legacy systems running. — National Audit Office
The financial burden is equally severe. The US federal government spent $100 billion on IT and cyber investments in 2023, with an estimated $80 billion directed towards operating and maintaining existing systems, including legacy infrastructure. The National Audit Office found that government departments lacked fully funded remediation plans for over half of their legacy IT assets.
This is not a maintenance problem. It is a compounding security liability. Like any form of debt, the longer it is ignored, the more aggressively it grows — consuming budgets that should be directed towards innovation, resilience, and growth.
Why End-of-Life Technology Is a National Security Issue
The distinction between legacy technology and End-of-Life technology is critical. Legacy systems may still function as intended and receive vendor support. End-of-Life systems cannot be patched when new vulnerabilities are discovered. They represent permanent, known gaps in the security perimeter — gaps that adversaries actively catalogue and exploit.
The consequences are not theoretical:
- In 2023, hackers exploited a widely used productivity tool that had reached End-of-Life status to compromise at least two US federal agencies.
- A 2022 industry survey found that 60 per cent of French hospitals still relied on Windows 7 systems, despite security support having ended in 2020.
- In February 2024, the Chinese state-sponsored group Volt Typhoon was confirmed to have compromised multiple US critical infrastructure sectors, including communications, energy, transportation, and water systems.
The joint cybersecurity advisory issued in response began with 'Apply patches for internet-facing systems' and concluded with 'Plan end of life for technology beyond manufacturer's supported lifecycle.' The message could not be clearer: unpatchable technology in connected systems is an open invitation to adversaries.
"The threat to critical national infrastructure is real, enduring, and growing. The gap between the threat and our collective defences is widening." — NCSC Annual Review 2024
The United Kingdom: Highest Relative Risk
The WPI Strategy research modelled End-of-Life risk across five CNI sectors in five countries. The United Kingdom emerged with the most concerning profile of any nation assessed.
| Country | Overall Risk Score |
|---|---|
| United Kingdom | 92.0 |
| United States | 88.0 |
| Germany | 87.8 |
| France | 83.0 |
| Japan | 65.0 |
The United Kingdom's healthcare, energy, and water sectors carry particularly elevated scores. This reflects both the high concentration of UK infrastructure — where disruption to a single operator can cascade across entire regions — and the country's significant exposure to End-of-Life technology across these critical sectors.
Between September 2023 and August 2024, the NCSC responded to 1,957 reported cyber incidents, with a threefold increase in the most severe category compared to the previous year. The trajectory is clear: attacks are becoming more frequent, more sophisticated, and more damaging.
The Patching Problem: Speed, Scale, and Impossibility
5 days — the average time-to-exploit a newly discovered vulnerability in 2023, down from 63 days in 2018. — Google Threat Analysis Group
Even where patches exist, the window for exploitation has collapsed. For End-of-Life technology, the window is not narrow. It is permanently open. There is no patch to apply. There is no vendor to call. The vulnerability exists for as long as the system remains connected.
Sixty per cent of EU cyber breaches in 2022 and 2023 exploited known vulnerabilities for which patches were available but had not been applied. This underscores a dual failure: organisations struggle both to patch what can be patched and to replace what cannot.
The operational reality compounds the challenge. In water systems, where older operational technology has been overlaid with digital connectivity, operators have been found to avoid installing updates that could disrupt legacy systems and interrupt essential services. The result is infrastructure that is simultaneously connected to modern threat landscapes and defended by obsolete technology.
As one CISO at a UK water utility noted in an industry forum: *'We know the systems are vulnerable. But replacing them means shutting down services that people depend on every day. So we manage the risk as best we can.'* This is the impossible calculus that End-of-Life technology forces upon operators of essential services.
The Cost of Downtime
When End-of-Life systems are exploited, the consequences extend far beyond the immediate breach.
$400 billion — the annual cost of system downtime to the world's largest companies, with 56 per cent attributable to cybersecurity incidents. — Splunk, 2024
Perhaps most troubling, 54 per cent of executives admitted to intentionally leaving root causes of downtime unaddressed — likely to avoid the cost of remediating legacy systems. This is not ignorance. It is a calculated gamble that the cost of remediation exceeds the perceived risk of exploitation. Until, inevitably, it does not.
Recovery timelines are lengthening. Research by Fastly found that organisations took an average of 7.34 months to recover from attacks in 2024 — 25 per cent longer than anticipated. Organisations that invested less in cybersecurity faced recovery periods approaching 11 months. Nearly a full year of compromised operations.
The human cost is equally significant:
- The 2024 Synnovis attack on NHS healthcare services affected over 11,000 patients and cost £32.7 million. Blood tests were delayed. Surgeries were cancelled. Lives were directly impacted.
- The 2020 Hackney Council ransomware attack disabled housing, health, and benefits services for almost a year, with costs exceeding £12 million. The council was still struggling to fully recover more than two years later.
- Transport for London's 2024 breach compromised 5,000 customer bank details and cost over £30 million in response and remediation.
These are not abstract statistics. They are schools that could not access pupil records. Patients who could not receive treatment. Families who could not access housing support. The cost of End-of-Life technology is measured in human outcomes, not just financial ones.
Where Patching Ends, Physical Disconnection Begins
The WPI Strategy report's recommendations focus on asset registers, lifecycle management, procurement reform, and regulatory reporting. These are necessary measures. But they share a fundamental assumption: that all critical data and systems must remain connected, and that security depends on the speed and completeness of patching.
For organisations that accept this assumption, the risk calculus is straightforward but unforgiving:
- Every system that cannot be patched is a permanent vulnerability.
- Every delay in remediation extends the window of exposure.
- Every connection to the network is a potential pathway for compromise.
Physical disconnection offers an alternative architecture for the data that matters most. When critical assets are physically disconnected from the network, they are removed from the threat surface entirely. End-of-Life technology in connected systems cannot compromise data that is not connected. Unpatched vulnerabilities cannot be exploited across a physical gap.
You cannot breach what is not connected. You cannot ransom what you cannot reach. You cannot exploit a vulnerability in a system that has no network interface.
The entire category of risk that the WPI Strategy report quantifies — the exposure created by unpatchable technology — simply does not apply to assets held offline. This is not a software control. It is not a configuration change. It is a fundamental architectural decision that eliminates the attack vector at its root.
Matching the Solution to the Scale of Risk
The scale of End-of-Life exposure varies enormously across organisations. A board director safeguarding personal liability documents faces a different challenge to a water utility protecting decades of operational data. The solution architecture must reflect this.
For individuals and senior leaders, Vault provides a digital safe deposit box for crown jewel documents — contracts, intellectual property, succession plans, and personal records that would cause irreparable harm if compromised. Each Vault is physically disconnected, hardware-encrypted, and identity-locked through KYC and multi-factor authentication. It is the simplest expression of a powerful principle: critical data that is not connected cannot be breached.
For organisations managing larger volumes of sensitive data — operational records, research archives, regulatory documentation — Storage delivers scalable offline secure storage measured in terabytes. Storage enables CNI operators to move entire categories of critical data beyond the reach of network-borne threats, including those that exploit the End-of-Life vulnerabilities this report quantifies.
For enterprises requiring systematic control across multiple sites, departments, or compliance frameworks, the Platform provides the architecture to implement physical disconnection at scale. Nine integrated modules — from fv-Fracture for data segmentation to fv-Isolate for physical port control — enable organisations to manage the path of data to protect their most critical assets. The Platform supports on-premise, co-located, and hybrid deployments across Firevault Bunker locations.
This is not a replacement for the lifecycle management and remediation the report advocates. It is recognition that for crown jewel data — the records, intellectual property, and operational information that an organisation cannot afford to lose — the gap between what should be patched and what can be patched will always exist. That gap requires a fundamentally different approach.
Regulatory Direction and the Case for Action
The regulatory environment is moving towards greater accountability. The United Kingdom's forthcoming Cyber Security and Resilience Bill will expand mandatory security requirements for CNI operators and bring managed service providers into scope. The EU's NIS2 Directive has already strengthened obligations across member states. Japan's Active Cyber Defence Act, passed in May 2025, requires operators to submit IT asset inventories and report incidents to a newly strengthened National Cybersecurity Office.
These frameworks increasingly expect CNI operators to demonstrate that appropriate protective measures are in place. For organisations carrying significant End-of-Life exposure, demonstrating compliance will require showing either a credible remediation plan or alternative controls that address the risk.
Physical disconnection through offline secure storage provides that alternative — ensuring that the most critical data remains protected regardless of the patching status of connected infrastructure. Whether through Vault for personal protection, Storage for departmental resilience, or Platform for enterprise-wide architecture, the capability exists today.
Conclusion
The WPI Strategy report provides the clearest quantification yet of the cybersecurity risk that End-of-Life technology poses to Critical National Infrastructure. The United Kingdom's position as the highest-risk country assessed should concentrate attention at board level and across government.
The report's recommendations for better asset management, reformed procurement, and regulatory transparency are essential. But they address the symptoms of a deeper architectural challenge: critical data stored on systems that are, by definition, permanently vulnerable.
The question is not whether End-of-Life technology presents a risk. The WPI Strategy research has answered that definitively. The question is what to do about the data that is too important to leave exposed while the slow work of remediation continues.
By physically disconnecting critical assets from the network, organisations eliminate the exposure that End-of-Life technology creates. You cannot breach what is not connected. And you cannot exploit a vulnerability in a system that has no network interface.
For CNI operators, the path forward is clear: patch what you can, replace what you must, and disconnect what you cannot afford to lose.
