Are Outdated Operating Systems Jeopardizing Your Plant’s Reliability and Security?

By Heath Stephens, P.E. | Automation Solutions Director

Control systems are typically expected to have a service life of five to fifteen years or more, but longevity doesn’t always come without risk. Just as you have to periodically update Windows or install security patches on your laptop, the operating system (OS) that runs your automation platform also needs regular patches and updates.

Keeping your automation system’s OS up to date isn’t just a matter of keeping the plant running smoothly, it’s also critical to the plant’s cybersecurity efforts. An outdated operating system, or one that lacks the most current security patches, can be a gateway for malicious attacks such as ransomware. Notably, this risk has become more acute in the past several years as equipment and controls on the plant floor (operational technology, or OT) are now more likely to be connected to the company’s network – a phenomenon often dubbed the “IT-OT convergence.” While this connectivity enables a host of advanced tools to improve efficiency and decision making, it means that connected systems on the plant floor can expose back-office systems to cyber threats, and vice versa.

The Hidden Risks in Legacy Systems

Unfortunately, many production facilities ignore their old air-gapped equipment that isn’t connected to a network thinking they aren’t at risk. In reality, they are still exposed to cybersecurity risks through the use of portable media like USB flash drive file transfers and temporary connections to engineering laptops. There is also the risk of hardware failures without adequate backups or the ability to repair and restore the system.

Despite these risks, when conducting equipment assessments and planning system updates, it’s easy to overlook an automation system that’s quietly performing without issues, but doing so can be a costly mistake. Take the example of a small manufacturer whose legacy automation system ran problem-free for more than 25 years. With the legacy system humming along, maintenance efforts were focused on other systems where the need was more pressing, leaving the legacy system untouched and increasingly vulnerable.

Eventually, the legacy system encountered a hardware failure, and because it was woefully out-of-date, recovery was impossible. There was very little documentation on the software, and replacement parts for the hardware were nonexistent. The only way to get the manufacturing process back online was to make a substantial investment in new equipment with a modern operating system. Meanwhile, existing orders were going unfulfilled and new orders were coming in, representing lost revenue and frustrated customers.

Strategies for Updating Legacy Operating Systems

While extreme, this example demonstrates the importance of maintaining your automation systems – from both a hardware and a software standpoint. Fortunately, even if you’re behind in OS upgrades or patches, major control system vendors usually provide a path for operating system updates, including updated versions of their software and apps, to facilitate a smooth migration.

If your control system uses a custom platform or legacy software, there are still options for upgrading the OS without significant headaches. For example, if your PLC application is outdated, the control logic running in the PLC can remain there, often with little to no modification, while the HMI OS and application is upgraded.

For custom applications that are no longer supported or are incompatible with modern versions of Windows, there are other solutions that can protect the operating system from external security threats. One example is to run the system as a virtual machine on a newer Windows platform. Another is to install DIN rail-mounted endpoint firewalls directly in the control cabinet. While these and other alternative solutions may not offer as robust protection as full migrations, they can mitigate some of the most critical cybersecurity and obsolescence issues.

The Role of OT Assessments

Given the diversity and complexity of systems operating in a modern manufacturing or processing plant, keeping track of each system can be a daunting task. This is where an OT assessment can help.

The OT assessment is typically done by a control system integrator, who catalogs each system in the facility – from PLCs and HMIs to VFDs and IOT devices – its current state, any updates, patches, or upgrades that are needed, and the timeframe for each. Some integrators use NFPA 70B, the NFPA standard for Electrical Equipment Maintenance, as a template for the OT assessment due to its thoroughness in addressing equipment that interfaces with the control system. (If you aren’t familiar with NFPA 70B yet, take a look. It became a mandatory standard in 2023.)

Once the OT assessment is complete, the operations manager can prioritize actions and develop detailed plans to address each item, with a timeline that matches the budget, resources, and severity of the need. This plan can then be presented to upper management as a critical investment in both operational security and cybersecurity.

The team at Hargrove has broad experience in IT/OT and cybersecurity best practices and standards. If you’d like to get started with an OT assessment and develop a plan for OS upgrades, contact us today.