Update Critical:

Counting the cost of cybersecurity risks from End-Of-Life Technology on Critical National Infrastructure

Download the Full Report Here

A new WPI Strategy report, commissioned by Cisco, reveals the hidden cybersecurity cost of outdated technology across critical national infrastructure

A new report from WPI Strategy uncovers the mounting cybersecurity risks posed by outdated and unsupported technology across critical national infrastructure (CNI) sectors, and warns that legacy systems could be the Achilles' heel of modern economies.

The report, commissioned by Cisco, highlights the extent to which ageing IT hardware and software are exposing essential services like healthcare, water treatment, energy, finance and manufacturing to ever-increasing cyber threats. In 2020, nearly half of business network infrastructure globally was estimated to be obsolete or ageing, making it harder to patch, harder to secure, and easier to exploit.

This research provides a novel approach to comparative analysis of End-of-Life (EoL) technology risk across key markets: US, UK, France, Germany, and Japan.

In the UK, the report finds the highest relative exposure to EoL systems among major economies considered, driven by concentrated risk in healthcare, energy and water sectors. In contrast, Japan ranks significantly lower reflecting ongoing investment in digital resilience and lifecycle management practices.

In the U.S., 80% of federal IT spending goes to operating and maintaining existing—often legacy — systems, increasing risk to critical infrastructure.

The report introduces a new EoL risk model, comparing five countries and five common critical infrastructure sectors, and provides insight into how traditional approaches to IT investment and risk management are leaving public services and private operators exposed. Case studies such as the Synnovis NHS cyberattack and the Hackney Council ransomware incident reveal the true cost of this ‘technical debt’, from millions of pounds in direct losses to harm to patients, citizens and national security.

The findings point to a pressing need for coordinated action to build a proactive approach to cybersecurity that prioritises resilience.

To stay ahead of the threat, the report makes four critical recommendations:

Address legacy systems before they become cyber liabilities:

Implement  effective lifecycle management across CNI operators—including live asset tracking and regular audit of at-risk systems.

Reform funding models to support long-term remediation, not just maintenance, through flexible and scalable investment frameworks.

Offer clearer, actionable guidance on how to reduce exposure from unsupported systems – focusing on patching, planning, and prioritising modernisation.

Increase transparency and cross-sector information sharing to expose and mitigate EoL risk, driving better awareness of vulnerabilities.

Now is the time for governments, regulators, and operators to recognise that end-of-life technology isn’t just an internal cost—it’s a national cybersecurity priority. By embracing smarter investment and stronger standards, countries can reduce hidden risks and build digital resilience that lasts.