More Than Computers
Carlos's manager hands him an assignment: audit the network for vulnerable devices. He starts with what he knows β Windows servers, workstations, switches, firewalls. Then his manager walks him to the factory floor. "What about these?" She gestures at a row of industrial controllers, HVAC management panels, time-clock terminals, badge readers, and IP cameras. "All of these are on the network. All of them have software running inside. Do any of them get patched?"
Carlos doesn't know. He has never touched most of them. "That's the problem," she says. "These devices have operating systems inside β sometimes versions of Linux, sometimes proprietary software β but we can't log into them and run updates the way we do a Windows box. They just sit there, doing their job, connected to the network, running whatever software the manufacturer shipped years ago." She adds: in the building lobby, there are smart door locks. In the server room, a networked environmental monitor. In the break room, a smart refrigerator someone connected to the office Wi-Fi. "The security landscape isn't just your servers anymore," she says. "It's everything."
The Operating System You Can't Touch
Carlos asks the logical question: "If these devices have software, why can't we update them?" His manager explains firmware. "Firmware is the software baked into the hardware β the OS that makes a thermostat be a thermostat or a camera be a camera. You can't just download a patch from Microsoft and apply it. The only people who can update the firmware are the people who wrote it β the manufacturer. They control the code. They control when patches come out. If they decide not to release a patch, or they take a year to do it, there's nothing we can do except wait or replace the device."
She pulls up a case study. Trane ComfortLink II smart thermostats β the kind used in commercial buildings to control HVAC remotely from a phone. Security researchers discovered three vulnerabilities in April 2014. They notified Trane. Trane took until April 2015 β a full year β to release a patch for two of the vulnerabilities. The third wasn't fixed until January 2016, nearly two years after the initial disclosure. "Compare that to Windows," she says. "Microsoft patches vulnerabilities within days to weeks, usually on a fixed monthly schedule. A year is an eternity in security terms. And during that entire time, anyone who knew about those vulnerabilities could exploit every unpatched Trane thermostat on a network."
The First Warning Sign
Carlos begins inventorying the plant's devices and discovers several that have received EOL notices from their manufacturers. He asks what that means. "End of Life β EOL β is the manufacturer telling you: we are no longer selling this product," his manager explains. "But crucially, at EOL, they haven't necessarily stopped supporting it. You can still get security updates. You can still call their help desk. The device still exists in their support system. It's just that if you need a new one, you can't order it anymore."
She emphasizes why it still matters: "EOL is a signal that support will eventually end. It's your warning to start planning a replacement. If you ignore the EOL notice and three years later the manufacturer announces they're ending support entirely, you've lost the time you could have used to plan and budget for replacement. Think of EOL as a yellow traffic light β you still have time, but the red is coming."
The Real Deadline
Among the devices Carlos finds in inventory, two have passed a more serious threshold: End of Service Life β EOSL. "This is the critical one," his manager says. "EOSL means the manufacturer is completely done. No more security patches. No more bug fixes. No more support calls. The vulnerability database keeps growing. New attack tools target old firmware versions. And the manufacturer's answer to every question is: buy a new one." She pauses. "Some vendors offer extended paid support β a premium contract that buys you another year or two of patches. But it's expensive, it doesn't last forever, and eventually even that ends."
Carlos looks at the two EOSL devices. Both are industrial sensors embedded in the manufacturing line β they've been running for eight years and are physically part of the production equipment. Replacing them means halting the production line. "This is why EOSL is a crisis," his manager says. "The device is doing its job perfectly. The hardware still works. But every day it runs without patches, it's an undefended door into your network. You need a plan β and you need it before a researcher or attacker finds the next CVE for that firmware version."
When Replacement Isn't an Option Yet
Carlos and his manager draft a mitigation plan for the two EOSL sensors while the long process of replacing the production equipment is initiated β a project that will take 18 months to engineer, budget, and implement. "We can't just turn them off," Carlos says. "But we can't leave them wide open either." His manager agrees. "This is what we call a legacy platform situation. The device stays because business continuity demands it. But we compensate with additional controls."
They implement three layers. First, firewall rules: instead of allowing the sensors to communicate freely across the network, Carlos creates strict rules that allow only the specific management system that needs them to reach them β all other inbound and outbound traffic is blocked. Second, IPS signatures: Carlos adds intrusion prevention signatures specifically written for the firmware version running on those sensors, so any known exploit attempt is detected and blocked at the network level. Third, network segmentation: the sensors are moved into an isolated VLAN with no path to the corporate network or internet without passing through the firewalled perimeter. "It's not a fix," his manager says. "The vulnerability is still there. But we've made it much harder to reach. And we're replacing the equipment. That's the path forward β interim mitigation plus a committed replacement timeline."