To upgrade or not to upgrade?
I recently installed a new boiler at home. After an undisclosed number of hours well spent, I got it integrated nicely with my increasingly smarter home. Several automation routines could now tell the boiler what temperature to use (hello home-automation communities!).
Over the next couple of weeks all our guests had to listen how marvelously this worked, and they only had to fake their interest a little. But then one morning the shower was freezing cold, and other family members appreciation for our smarter home dropped quite rapidly.
Apparently, the boiler had performed a firmware upgrade during the night and broken my once perfect integration.
This shines light on one of the major contradictions in the security industry today: whether firmware updates help or hinder the integrity of systems. Many abstain from firmware upgrades as, once they have purchased a system and it fulfills the purpose, they reason that there is no need to undertake a costly upgrade and risk system compatibility.
The reluctance to perform upgrades is understandable. New firmware might require an update of third-party software to maintain compatibility and – guess what – that new version requires a new OS which is not supported by your current hardware. It is enough to have been down this road once to understand why the motivations for an upgrade will be scrutinized.
However, by not updating the system, over time businesses are exposing themselves to an increasing risk. If their system is not regularly maintained through an update, the firmware will become susceptible to security vulnerabilities which can cause serious financial damage or system down time. The last couple of years show an increasing number of security attacks. Unpatched systems are one of the first things targeted. It also causes businesses to miss out on the stability improvements, preventing them from reaping the benefits of their equipment.
Damned if you do and damned if you don’t
This results in a practical requirement for a solution that mitigates risks and vulnerabilities encountered from ignoring a system upgrade. Ideally, such a system should allow businesses to obtain regular maintenance for the system, without disrupting the existing system compatibility. It is not enough to have a long period of guaranteed software support, you also need to be confident that each upgrade will not create havoc with your system.
The IT industry has for long been exposed to this problem and there the concept of Long-term Support (LTS) releases is known as a good remedy. Specific branches receive only security and stability improvements but no new features, keeping compatibility changes to a minimum. This allows quicker patching without the need to re-qualifying the entire system. With the correct firmware track adopted, the fear of upgrading can be effectively addressed and in the long run regular firmware maintenance is a beneficial investment to make.
My hope is that eventually firmware upgrades in the security industry will be viewed with less drama. Adopting best-practices solutions like LTS, which resolves many of the concerns raised, make the question in the title this post redundant, and hopefully supplies warm water for everyone.
Find more information about Axis LTS release tracks here.