Three properties make hardware devices uniquely difficult to secure compared to traditional computers:
These three properties combine into a scenario where a device is: permanently on the network, running software that cannot be updated by the owner, for a period of years β often past the point where the manufacturer supports it.
| Phase | What It Means | Still Sold? | Patches Available? | Action Required |
|---|---|---|---|---|
| Active Support | Product sold and fully supported | β Yes | β Yes | Apply patches when released |
| End of Life (EOL) | No longer sold; support may continue | β No | β οΈ May still be available | Begin replacement planning |
| End of Service Life (EOSL) | No longer sold; all support ended | β No | β No β vulnerabilities unpatched forever | Apply compensating controls; replace urgently |
| Legacy (Post-EOSL) | Device still running despite EOSL | β No | β No β accumulating CVEs | Segment, firewall, IPS; replace as soon as operationally possible |
The critical distinction: EOL = no longer sold but still supported. EOSL = no longer sold AND no longer supported. Many people confuse the two.
Traditional OS (Windows / Linux)
- Owner has full access to the OS
- Patches downloadable independently
- Admin can apply updates on any schedule
- Multiple third-party tools can assist
- Vendor patches typically within daysβweeks
- Owner controls the patch timeline
Firmware (Hardware Device)
- Owner cannot access or modify the firmware
- Updates released only by the manufacturer
- No patch unless the vendor writes and ships one
- No third-party patching possible
- Vendor patches may take months to years
- Owner has zero control over patch timeline
The Trane case demonstrates the real-world gap: Windows patches in days to weeks; Trane firmware patches in 12β22 months.
When a hardware device cannot be replaced immediately and patches are unavailable, three layers of compensating controls reduce (but cannot eliminate) the risk:
Create strict firewall rules that allow only the specific management systems that need to reach the device. Block all other inbound and outbound traffic. An attacker who cannot connect to the device cannot exploit it.
Deploy IPS signatures written for the specific firmware version and OS on the device. These signatures detect known exploit patterns at the network layer and block them before they reach the device.
Move the device into a separate VLAN with no direct path to other network segments. If the device is compromised, the attacker's lateral movement is contained by the segment boundary.
Critical caveat: Compensating controls are not a permanent solution. They buy time while replacement is planned and funded. The only true remediation for an EOSL device is replacement.
| Environment | Device Examples | Risk if Compromised |
|---|---|---|
| Office / Commercial | HVAC controllers, badge readers, IP cameras, time-clocks | Physical access bypass, network pivot, surveillance |
| Industrial / OT | PLCs, industrial sensors, process controllers, SCADA endpoints | Production disruption, safety risk, data exfiltration |
| Home / Consumer | Smart thermostats, door locks, light bulbs, refrigerators | Network pivot, privacy violation, botnet recruitment |
| Healthcare | Medical devices, infusion pumps, patient monitors | Patient safety risk, data breach, regulatory violation |