Critical Infrastructure is being targeted more frequently as cybercriminals (and states) deem these attacks more profitable (or politically/militarily effective) than hacking private individuals and businesses.
But why can’t critical infrastructure systems simply update their system to avoid being hacked? It isn’t so simple.
First of all, as the name suggests, these are critical infrastructures. That means they can’t go offline at all. Consider this—what would happen if all the traffic lights in New York City went out for an hour because of an update? That will be utter chaos.
Another issue critical systems must contend with is that they are generally specialized or run embedded operating systems. That means no one-size-fits-all update will work for an entire swathe of industry.
Also, the air-gapped protection of these systems is both a blessing and a curse. While it protects the system from external attacks, ensuring that you have to be physically connected to the system to access it, it also means that updates can’t be easily sent by their suppliers.
One other thing companies must deal with is specialized equipment. For example, say you’re a food manufacturing company and bought a supply chain system running on Windows XP in 2009. Unfortunately, the company that provided your system closed. You don’t have the budget to get a new supply chain management software, and neither do you have the time to retrain your personnel. This is how companies end up with computers running Windows XP well into the 2020s.