In the world of operational technology, how do you keep your software up to date and secure, especially when it's reliant on an old unsupported Windows operating system, which uses legacy plugin-ins, such as internet explorer and old Java and there is no upgrade path available?

Develop and implement a regular software and hardware (firmware) maintenance process. Leverage development and test environments if you have them, to test and validate your patching processes before pushing out to production.

Running N-1 can be beneficial to avoid introducing new bugs into your environment, however sometimes you need to deploy patches to address zero-day exploits and the risk of not doing so outweighs the risk of introducing bugs.

To address product that is out of support and no longer receiving security updates requires the implementation of cyber controls to mitigate the risk to your environment. Segregate these environments within their own network segment with appropriate access controls from other networks if this is required. Ideally these become "air-gapped" for improved protection but this is not always aligned with business needs, take a risk based approach. 

Finally, consider migrating workloads to cloud services where it makes sense. E.g., Microsoft offer longer term support arrangements for Win Servers in Azure that is out of support when on-prem. 

Of course there are many obsolete operating systems that run critical OT systems which will not be suitable for cloud.

For those needing to get off obsolete hardware and retain their legacy software there are specialist organisations who can migrate legacy operating systems into cloud services (i.e. OS/2, DOS, WinNT etc).

Often, when OT is approaching EOL, we schedule its isolation from the rest of the network and, if possible, intranet connectivity due to security concerns. This severely limits the security risk but allows the technology minimal functionality. Ideally, scheduling and discussing this well ahead of EOL gives the owner time to upgrade or replace the technology. When it's brought to light that outdated software is a security risk and could result in a compromised environment, or the security measures put in place to mitigate the risk cripple the functionality, owners often try to upgrade or replace it prior to EOL.