What to do when equipment is old, in the way, and yet still functional
CIOs and IT departments spend significant resources making sure all the hardware in their businesses is updated with the latest operating system patches, to keep it secure and running at top efficiency, with all the capabilities the newest software provides.
But some companies have the opposite problem: They need to figure out how to handle hardware that never or only rarely gets OS updates. A surprising amount of such hardware—from medical hardware to remote sensors, IoT devices, and even entire networks—is common in enterprises. Running hardware whose operating system is rarely if ever patched provides countless challenges for IT departments, including making sure the devices work with newer technologies, keeping them secure, ensuring they can connect to devices with more up-to-date networking protocols, and even finding people with the skills for working with old operating systems.
How best to solve those challenges? To find out, we spoke to five experts.
What hardware doesn’t get updated?
We start by looking at the devices whose software rarely or never gets updated. Not uncommonly, older medical devices are in this category. Many of the current generation, when they were first released, used Windows 7, and the devices still work well enough that they remain in service today. But Microsoft ended mainstream support for Windows 7 back in January 2015, so the operating system gets updated only with an occasional security patch as part of Microsoft’s extended support. In January 2020, that extended support will end as well.
Beyond medical hardware, a fair number of IoT devices don’t get their software updated either. They’re often powered by embedded Linux. Michael Barr, founder of the Barr Group, which provides engineering and consulting services for the embedded systems industry, says many IoT devices powered by embedded Linux “are not designed to be updated after they enter service.” He adds that devices powered by so-called real-time operating systems, such as VxWorks or FreeRTOS, typically don’t get updated either. In addition, he says, “many simple devices have nothing inside resembling an operating system in the usual sense of the word. In these bare-metal systems and many of the others, a firmware update is an all-or-nothing proposition that involves replacing the entire contents of non-volatile memory and rebooting.”
Bryan Eagle, president of Memphis Ventures, which provides consulting services for IoT and machine-to-machine communications, adds that many sensors, such as light detectors, motion detectors, and vibration detectors, don’t get updated because of their simple, one-use purposes.
Security woes and hardware dead ends
Experts cite two primary problems with this kind of hardware: It has security holes, and it becomes less useful over time.
“Security is a nightmare with these systems,” Barr says. “Hackers and their access to knowledge and computing power only go up as the years pass, which means that long-lived, fixed-firmware devices become ever more insecure over time.” Because the devices rarely or never get updated, the equipment doesn’t have protections against newer, advanced attacks.
Exhibit A for that is the global WannaCry ransomware hack in 2017, which targeted Windows 7 systems. That included not just PCs but also medical devices. Companies and healthcare organizations in more than 150 countries were hit, with one estimate putting the total cost to businesses at $4 billion.
“Security is usually added as a Band-Aid at the end rather than a properly designed requirement in the world of IoT," warns Eric Klein, COO and CISO of Cloudonix.io, which specializes in communications services, including for IoT devices.
Also problematic is that because the devices don’t get their software upgraded, they’re essentially dead-end systems. That makes them useful for little beyond their original purpose. Samuel Hale, an analyst at MachNation, which tests and researches IoT platforms, middleware, and services, notes a big drawback with the devices is “the inability to deploy new features or easily re-task the hardware for new roles.”
“If the system is never updated, then it will lose out on fixes for bugs that can be life-threatening while missing out on new, free capabilities from the device," Klein adds. "Think of an MRI or CAT scan that does not get updated imaging software and thus misses seeing a small tumor.”
Because the devices rarely if ever get software upgrades, over time they can run into problems working with newer operating systems, hardware, and communications protocols. Klein likens the issue to ports on old computers, which are no longer in use today. “Will the necessary ports or connectors still be available in two to 10 years in order to get data off the non-upgradable devices?" Klein asks. “Look at things like the serial/COM or parallel ports on PCs that were used to connect to devices. Today, it is hard to find a computer that has such a port—and almost no laptops do anymore—so you need specialty or really old computers to get the data off of them.”
Sajith Kumar, vice president and CIO at Happiest Minds Technology, adds that enterprises frequently add new connectivity capabilities. However, because those connectivity capabilities can’t be added to the devices, “their average longevity cannot be predicted.”
Barr adds, “Fixed-function devices don’t typically support new wireless protocols in software. And they aren’t very often hardware-upgradable to support the new physical interfaces underlying new technologies.”
Woes with networks that aren’t designed for upgrades
It’s not just individual devices that aren’t upgradable. Some IoT networks have been designed for only one-way communications, making it impossible to upgrade any sensor or device on the network, says Eagle. He points to the LoRa wireless networking platform built for IoT, which was originally designed only for one-way communications: sensors sending out data. It didn’t allow for incoming communications, which would allow the sensor’s software to be upgraded over the network. LoRa is inexpensive and covers a wide area, which is why many companies adopted it. Businesses thought there would be no need for two-way communications, because they typically used the network only to gather data from sensors.
But “as one-way networks started to get deployed," Eagle says, "people started to think about different things that they could do. Edge computing started to get big, and companies wanted to push more intelligence out to the edge. But intelligence requires a two-way path, and old one-way networks don’t have one.”
In addition, because sensors couldn’t be upgraded remotely, if there were problems with them, “companies had to do truck rolls and send out maintenance workers—and that’s expensive. You do one truck roll to change out a device or to upgrade something and a lot of the benefits of the lower-cost deployment go away. So some people buy into one-way networks because they’re cheap, but then ultimately leave because it doesn't give them flexibility.”
How IT can solve the problems
All these problems, while serious, are not insurmountable, experts say. MachNation’s Hale says, “A best-in-class IoT device management platform can often ameliorate many of the challenges” with the devices. He adds that enterprises “that implement effective device lifecycle management policies, especially those with a well-architected solution in place before initial device deployment, can effectively update and manage IoT devices, regardless of the chosen operating system or hardware platform.”
If done properly, Hale says, “well-managed IoT devices are typically no more costly to maintain than other deployed IT assets, especially when deployed in concert with an effective IoT device management platform.”
Kumar says enterprises need not worry that it will be difficult to find people with the skills or interest to work with older systems. “Finding people with the expertise is not tricky and neither is training people on the older technologies,” he says. “The challenge is mostly to convince people who only want to work with the latest version or the latest technologies so that they are relevant in the market. Cross-training people on multiple technologies is also an exciting option.”
In some instances, though, because of potential legal and technical problems, enterprises may need to abandon older hardware whose software can’t be upgraded. “In nearly all such cases, the only people who have the knowledge and possibly the legal right to make custom changes to such a device are the employees of the device maker,” Barr says. “Tinkering with them probably has many more risks for an IT department than rewards. In most cases, it would be more cost-effective to trash the older device and buy a new product to replace its functionality.”
And the ultimate solution to the problem may be simply to avoid buying devices whose software can’t be upgraded or are upgraded only rarely. Eagle says enterprises should think long and hard before buying devices or networks that can’t be upgraded. "In my experience, it’s pretty much universal that at some point, you're going to want to change something in that network. You're going to want to upgrade the firmware, update some element in it," he says. "So you'd better have a pretty good reason to deploy something that can't be touched.”
Before buying, Eagle recommends, companies should think of their needs for the next five to eight years: "They should do trials with the hardware and start collecting data. Once you collect data, it usually brings up many kinds of uses for it that you’ve never thought of before. And that almost always requires devices or networks that can be upgraded.”
Updating embedded systems: Lessons for leaders
- Ask vendors of expensive devices how they plan to address OS and security upgrades.
- Think before you deploy devices. Plan not just for today but tomorrow.
- Retain the technical knowledge to maintain and support older devices in daily use.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.