Technological progress cannot be undone, and Microsoft’s extended support is ending soon for two widely deployed products: Windows 7 and Server 2008. Microsoft wishes for everyone to upgrade to ensure security against vulnerabilities. But for asset owners, this represents a series of new questions or pain points if a host is physically deployed.

This Windows-host upgrade approach may involve using VMware V-Sphere Converter as an example to create “digital twins” or “virtual twins” from a stand-alone perspective, but other tools are available including Microsoft’s migration tooling.

In a vendor agnostic fashion, the process is broken up into five steps:

  • Step 1 – Get started with Inventory Information. Enumerate affected hosts and collect asset information for each, including configurations and associated risks.
  • Step 2 – Virtualize the First Host. Assuming a small prioritized sample of affected low-risk assets, and adequate backup/recovery process/technology, move to virtualize the host through conversion software delivery through a management solution.
  • Step 3 – Conclude Basic Testing. Engineer against consequence, so the virtual twin moves to an environment where the upgrade/migration and incremental testing is performed with minimal impact and quickened rollbacks should an error occur. Continue developing all documentation and automation where possible.
  • Step 4 – Roll Out Tested Procedures. Once testing has concluded for one asset, move onto the next asset with similar risk or priority, moving from low to high, and document the process. If a specific amount of trust and risk appetite is met, then consider a strategy for identifying another batch of devices for a roll out using the process laid out in Step 3. Re-iterate, improve and continue onwards unless barriers to an upgrade exist.
  • Step 5 – Legacy Exclusions & Conclusion. Not all systems can be upgraded (although most should given the nature of environments today), and in these cases, examine compensating controls to improve risk exposure and vulnerability of these assets, with a focus on prevention and recovery.

Advantages of Compensation Controls:

  • Even if an upgrade is not possible, virtualization itself offers several advantages such as leveraging economies of scale, easy backups, and quick restores/rollbacks
  • Reduces risks of a deployments and technology transitions
  • Documentable at each step of an upgrade or testing by way of digital “snapshots”, which are complete artifact outputs that can be archived
  • As part of a bigger picture, it provides an opportunity to understand and standardize on prioritizing assets and building roadmaps/campaigns
  • Re-usable as a testing process component for any software updates and upgrades
  • Re-usable as a risk assessment exercise and process
  • You now have a virtual and digital twin of the asset

This isn’t an exhaustive guide, but it should help you get started with migrating to a virtualized deployment. However, this process might help you test legacy software in newer Operating Systems (OS) or convert systems to virtual ones so you can retire legacy equipment where possible.

Related Resources

Blog

Patch Tuesday: Remediation for Microsoft CryptoAPI Vulnerability

Effectively patch Microsoft CryptoAPI software vulnerability in three steps to remediate risk.

Learn More
Blog

Can't Apply A Software Patch? Try These 5 Alternatives

When a software patch isn't an option, here's how to control your industrial environment to manage risk.

Learn More
Whitepaper

Protecting Embedded Systems

From an asset owner's perspective: Defining firmware and discovering embedded vulnerabilities to protect devices from exploitation.

Learn More

Subscribe to stay in the loop

Subscribe now to receive the latest OT cyber security expertise, trends and best practices to protect your industrial systems.