COMMENTARY: Most enterprises run on
Linux, and many of these systems are aging, unsupported, and increasingly vulnerable to security threats.
While new applications get deployed to the cloud with modern security practices, critical legacy Linux installations supporting everything from financial services to transportation networks remain frozen in time. The uncomfortable truth: these systems are accumulating vulnerabilities faster than organizations can address them.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
The Linux ecosystem, favored for its flexibility and robustness, has inadvertently created islands of technological isolation. Organizations find themselves stranded on these islands when their critical systems run on distributions that have reached end-of-life.
For example, a major North American railway company running locomotive control systems on end-of-life Red Hat Enterprise Linux 6 isn't an anomaly—it's representative of thousands of organizations worldwide operating essential services on outdated Linux distributions. We know this for a fact because they are one of our customers.
Large entities such as these must either undertake massively expensive and risky systemwide upgrades, or continue operating with known vulnerabilities. The railway operator is a prime example of this impossible dilemma. When we’re talking about human safety, the calculus becomes even more complex. We can’t risk either operational disruption through upgrades or accept security exposure, yet for years, these have been the only choices available.
When following rules means breaking security
There’s a growing gap between compliance requirements and practical security implementations. Regulatory frameworks such as FedRAMP,
PCI DSS 4.0, and TSA's cybersecurity directives demand continuous security updates regardless of whether a system has reached end-of-life status. There’s a fundamental disconnect between what regulators demand and what technology traditionally can actually do.
Organizations often respond with compensating controls—additional layers of security meant to offset the risk of running outdated systems. These stopgap measures frequently increase complexity without reducing risk, while diverting valuable security resources from addressing emerging threats to maintaining an increasingly brittle security posture.
Meanwhile, security teams become mired in compliance documentation rather than actual security improvement. Organizations end up with a perverse incentive structure where checking compliance boxes takes precedence over meaningful security enhancements.
Break the security-upgrade cycle
New tools are finally letting companies patch vulnerabilities without upgrading their entire systems. Rather than forcing the traditional "upgrade or accept risk" binary choice, these approaches deliver post-EOL security patches while avoiding vendor lock-in. Complex operational environments demand that security adapt to operational realities, not the other way around.
Looking ahead, organizations must rethink how they balance operational stability with security requirements. The traditional model of regular upgrade cycles works well for consumer devices and non-critical applications, but falls short for systems where downtime has significant consequences. Security tools that can decouple vulnerability remediation from upgrade cycles represent a technological advancement and a necessary evolution in our approach to digital infrastructure security.
For too long, we've accepted that using legacy systems means accepting security vulnerabilities as inevitable. Perhaps it's time to challenge that assumption and demand more flexible approaches to securing our digital foundations—especially those that power our most critical services and infrastructure.
Itamar Sher, chief executive officer, Seal SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
