Technological progress cannot be undone, and Microsoft’s extended support is ending soon for two widely deployed products: Windows 7 and Server 2008. Microsoft wishes for everyone to upgrade to ensure security against vulnerabilities. But for asset owners, this represents a series of new questions or pain points if a host is physically deployed.

This Windows-host upgrade approach may involve using VMware V-Sphere Converter as an example to create “digital twins” or “virtual twins” from a stand-alone perspective, but other tools are available including Microsoft’s migration tooling.

In a vendor agnostic fashion, the process is broken up into five steps:

  • Step 1 – Get started with Inventory Information. Enumerate affected hosts and collect asset information for each, including configurations and associated risks.
  • Step 2 – Virtualize the First Host. Assuming a small prioritized sample of affected low-risk assets, and adequate backup/recovery process/technology, move to virtualize the host through conversion software delivery through a management solution.
  • Step 3 – Conclude Basic Testing. Engineer against consequence, so the virtual twin moves to an environment where the upgrade/migration and incremental testing is performed with minimal impact and quickened rollbacks should an error occur. Continue developing all documentation and automation where possible.
  • Step 4 – Roll Out Tested Procedures. Once testing has concluded for one asset, move onto the next asset with similar risk or priority, moving from low to high, and document the process. If a specific amount of trust and risk appetite is met, then consider a strategy for identifying another batch of devices for a roll out using the process laid out in Step 3. Re-iterate, improve and continue onwards unless barriers to an upgrade exist.
  • Step 5 – Legacy Exclusions & Conclusion. Not all systems can be upgraded (although most should given the nature of environments today), and in these cases, examine compensating controls to improve risk exposure and vulnerability of these assets, with a focus on prevention and recovery.

Advantages of Compensation Controls:

  • Even if an upgrade is not possible, virtualization itself offers several advantages such as leveraging economies of scale, easy backups, and quick restores/rollbacks
  • Reduces risks of a deployments and technology transitions
  • Documentable at each step of an upgrade or testing by way of digital “snapshots”, which are complete artifact outputs that can be archived
  • As part of a bigger picture, it provides an opportunity to understand and standardize on prioritizing assets and building roadmaps/campaigns
  • Re-usable as a testing process component for any software updates and upgrades
  • Re-usable as a risk assessment exercise and process
  • You now have a virtual and digital twin of the asset

This isn’t an exhaustive guide, but it should help you get started with migrating to a virtualized deployment. However, this process might help you test legacy software in newer Operating Systems (OS) or convert systems to virtual ones so you can retire legacy equipment where possible.

Related Resources


Compensating Controls in ICS Security

How and when to apply OT/ICS compensating controls when software patching is not an option in industrial cyber security.

Read the Story

SolarWinds: Implications of Compromised Supply Chain Security

Following the SolarWinds software incident, what lessons can asset owners learn from published causation and guidance - and how can product owners for more to help secure their customers?

Read the Story
Event, Webinar

[Webinar] IT is from Mars, OT is from Venus

Ever feel like your counterparts are from another planet? It doesn't have to be that way!

Read the Story

Subscribe to stay in the loop

Subscribe now to receive the latest OT cyber security expertise, trends and best practices to protect your industrial systems.