The OT Retirement Cliff: We're Not Ready

There's a crisis coming in OT security that nobody's panicking about enough. The people who built and maintained the industrial control systems running our critical infrastructure are retiring. And we haven't trained anyone to replace them.

This isn't a future problem. It's happening now. The engineers who understand legacy systems…. the ones who've kept 20-year-old PLCs running, who know the quirks of every DCS in the plant, who carry decades of undocumented institutional knowledge in their heads ….. are walking out the door.

And they're taking everything they know with them. Including asset inventories and passwords.

The industry has a massive upskilling gap. We're producing cybersecurity graduates, sure. But they're coming out of programs that focus on IT. They can talk about zero trust and cloud security all day long. Ask them about ladder logic or process safety and you get blank stares.

Meanwhile, the OT veterans retiring didn't grow up with cybersecurity. They grew up with mechanical engineering and process control. They know the systems inside out, but they're not the ones who'll implement network segmentation or deploy intrusion detection on an OT network.

So who does that work when they're gone?

This is where the industry needs to get serious about two things. First, capture the knowledge. Get those retiring engineers to document what they know, mentor younger staff, and participate in structured knowledge transfer before their last day. Second, invest in upskilling programs that take promising younger professionals and give them real OT exposure, not just textbook theory.

The companies that figure this out will have a massive competitive advantage. The ones that don't will be calling us in a panic when their last OT veteran puts in their two weeks.

The clock is ticking.