Update Critical:

Counting the cost of cybersecurity risks from End-Of-Life Technology on Critical National Infrastructure

Download the Full Report Here

A new WPI Strategy report, commissioned by Cisco, reveals the hidden cybersecurity cost of outdated technology across critical national infrastructure

A new report from WPI Strategy uncovers the mounting cybersecurity risks posed by outdated and unsupported technology across critical national infrastructure (CNI) sectors, and warns that legacy systems could be the Achilles' heel of modern economies.

The report, commissioned by Cisco, highlights the extent to which ageing IT hardware and software are exposing essential services like healthcare, water treatment, energy, finance and manufacturing to ever-increasing cyber threats. In 2024, nearly half of business network infrastructure globally was estimated to be obsolete or ageing, making it harder to patch, harder to secure, and easier to exploit.

In the UK, the report finds the highest relative exposure to EoL systems among major economies, driven by concentrated risk in healthcare, energy and water sectors. In contrast, Japan ranks significantly lower due to more consistent investment in digital resilience and lifecycle management practices.

The report introduces a new EoL risk model, comparing five countries and five sectors, and provides insight into how traditional approaches to IT investment and risk management are leaving public services and private operators exposed. Case studies such as the Synnovis NHS cyberattack and the Hackney Council ransomware incident reveal the true cost of this ‘technical debt’, from millions of pounds in direct losses to harm to patients, citizens and national security.

The findings point to a pressing need for coordinated action to build a proactive approach to cybersecurity that prioritises resilience.

To stay ahead of the threat, the report makes four critical recommendations:

Address legacy systems before they become cyber liabilities:

  1. Mandate effective lifecycle management across CNI operators – including live asset tracking and regular audit of at-risk systems.

  2. Reform funding models to support long-term remediation, not just maintenance, through flexible and scalable investment frameworks.

  3. Offer clearer, actionable guidance on how to reduce exposure from unsupported systems – focusing on patching, planning, and prioritising modernisation.

  4. Increase transparency and cross-sector information sharing to expose and mitigate EoL risk, driving better awareness of vulnerabilities.

Now is the time for governments, regulators and operators to recognise that end-of-life technology isn’t just an internal cost—it’s a national cybersecurity priority. By embracing smarter investment and stronger standards, countries can reduce hidden risks and build digital resilience that lasts.