What Windows 10 End of Life Means for BAS Teams
Windows 10 will reach its end-of-life (EOL) date this week. If your building automation system runs on Windows 10 its time to update. Microsoft will not provide security or feature updates. Newly discovered vulnerabilities will not be patched.
The risk to your infrastructure of using unpatched devices only grows over time.
That’s because all software contains existing undiscovered vulnerabilities. And it is also vulnerable to future software exploitation techniques not yet thought of.
In our experience, BAS teams are not great at software updates. We routinely see Windows 7-based servers in service. Windows 7 as an operating system saw its end-of-life in 2020.
IT vs. OT Update Cycles are Dramatically Different
Part of the issue is that facility teams are often not required to update the BAS software. These systems have a very long product lifecycle – between 15-25 years. If Windows operated on the BAS timeline, Windows 7 – and its predecessor – Windows Vista – would still be working options.
IT technologies like these have lifecycles of between 3-5 years. The vast majority of BAS servers run on Windows 10. Analysts say that up to 60% of PCs in the world run on Windows 10. We think that percentage also applies to BAS servers.
Another issue is that most folks purchase a BAS through a mechanical contractor. Having these vendors upgrade these systems means added markups. And a middleman who doesn’t understand how to install / manage the technology but provides the infrastructure that it runs on top of.
Risks of Unsupported Software
Running unsupported software means increased risk of compromise in your corporate IT environment. If the upgrade doesn’t happen in a reasonable timeframe, IT may insist that your BAS is air gapped. This will reduce the possibility of remotely connecting to the system. Which means more sleepless nights for the on-call techs. Unsupported software also means higher maintenance costs and a lack of tech support which only exacerbates over time.
Four Steps to Consider
If facing Windows 10 EOL for your BAS, here are some suggested next steps:
Step 1 – Identify your Windows 10 version. If you have standard version you need to upgrade. The other option is Windows 10 IoT Enterprise LTSC (Long-Term Servicing Channel). If you have the 2021 version, you can wait until 2032 to upgrade. However, the 2019 version has reached EOL. These servers also need to be replaced/upgraded.
Step 2 – Check your servers for Windows 11 compatibility. There are processor and RAM requirements. But the main issue is that the server must support Trusted Platform Module v2.0. TPM is a chip that helps with encryption and other security functionality. More recent Windows 10 servers may have TPM hardware. But not all will. Software-based TPM is not recommended.
Step 3 – Check your BAS software for compatibility. Some legacy systems can’t run on Windows 11. This can cause a short-term financial problem for legacy facilities budgets that do not incorporate software maintenance costs associated with their installed BAS lifecycle. To satisfy IT’s need for cybersecurity, the only option is to upgrade the legacy BAS to one that is Windows 11 compatible. This is an opportunity to talk about sharing costs between facilities and IT budgets as the BAS is a system that overlaps with both stakeholders.
Step 4 – Take some time to consider your options. Yes, the Windows 10 situation needs prompt attention. But after Oct. 14, the software will continue to operate. It may be relatively secure for up to a few months. So, you do have the time to make a good decision and work with IT to find budget and technical paths forward. If you can’t upgrade, Microsoft is offering a limited time extension for a fee. More details on the Windows 10 Consumer Extended Security Updates (ESU) can be found here.
BAS Service Partner Team can Help with Upgrades
If you move forward with upgrading, call in your building automation service partner team. We do upgrades all the time and can help you develop a plan. Your service contract may also provide preferred rates.
Another option is Private Cloud Server. This managed services option includes upgrades as well as security, uptime and other server metrics. And by taking the server off the network, your corporate IT department no longer has to secure, monitor, and patch the system in coordination with your BAS service partner and their controls manufacturer’s patching cycle.
If you need to upgrade your BAS, it’s even more important to call in your building automation team. Upgrading the BAS may introduce incompatibilities that can have a snowball effect on the replacement system – and the budget. Your team will help to minimize the impact.
The upside of this upgrade scenario is that it can open the eyes of management to the need for IT-like lifecycle budgeting. This way the cost of obsolescence doesn’t sneak up on the facilities team when Windows 11 is EOL.
Conclusion
The Windows 10 end of life for your BAS is a call to action. You need to update your OS. Whether that’s to Windows 11 or to a Private Cloud Server is your call. But also realize that an EOL scramble will probably happen again over the life of your BAS. So, use this month’s event to ensure your budgeting reflects the growing IT influence in your BAS. These technologies bring better functionality and access. But also a shorter lifespan which challenges our thinking about when and how to upgrade our systems.
