I recently wrote an article exploring who should be responsible for supporting legacy operating systems in semiconductor. Positionally, I believe it is a shared responsibility, but when I examine the operating system vendors role I tend to lean towards assigning more responsibility to them. OS vendors have assigned an arbitrary date towards the end of support life on all of their OS’s. I have to ask myself what the motivation and rationale for these dates are? MS claims that it can apply resources to newer more secure features in newer operating systems. Or is it simply a matter of annual recurring revenue. No new product to sell means no new product revenue. What better way to get you to upgrade than de-supporting one product forcing you into a decision to buy their new shiny OS or suffer through with no support and no updates on your perfectly good, well-functioning OS you have been using for the last three years?
The problem is compounded in semiconductor fabs. OEM’s create tools to run for decades not according to Microsoft’s arbitrary support timelines. Yes, the vendors and operators of these tools could attempt to upgrade them but consider you may be messing with a multi-million-dollar piece of equipment that is no longer producing during the upgrade process. These tools have been developed, built and tested with a specific OS. Upgrading or modifying the OS could cause significant downtime if it is possible at all.
XP, which is still present in 4.9% of OT environments, has been out of support (extended) for 10 years now. According to TxOne Networks 44.8% of operating systems in OT environments are running unsupported. That includes industries considered “Critical Infrastructure” like utilities, water, power, gas not to mention military and manufacturing. Since these systems are mostly offline and getting an accurate estimate is nearly impossible, let’s look at one example that is quantifiable:
According to Computerworld and StatCounter, as of March 2024, 0.39% of desktops are still running Windows XP. Let’s do a little math. Microsoft claims there are 1.4 billion Windows PCs in the world, so that means we still have not quite 5.5 million XP computers up and running somewhere. That is just connected devices worldwide still running XP!
And let’s not forget… Microsoft officially announced at the end of April 2023, that 22H2 will be Windows 10's final version. This would mean that Windows 10 will be fully end-of-life by October 14th, 2025. How many of you have started the upgrade migration planning from Win 10? I would imagine, not a lot.
I believe 2025 will be an extremely trying year for many IT and OT operators alike. The writing is on the wall and MS does not give a shit. I believe it is time to put our collective thought process together and come up with a plan. Simply saying, “sorry, it’s EOL” is not OK any longer. At a minimum software vendors should be held accountable for the critical security flaws in their products and continue to provide patches. This to me is the bare minimum. They wrote the code, and just abandoning it to the bad actors to compromise is unethical and unacceptable.
I would hope as a collective group and with the OS vendors support we could come up with a reasonable plan but lets assign the blame and the responsibility for correcting the issue to those most culpable and also in the best position to fix the problem.
Comments