Vendor patching and older systems
While discussing the recent turbine loss of control issue, I was reminded of a software version issue that I first encountered during Y2K. That is the issue of how long vendors will support older versions of software. This issue is not unique to control systems as can be seen with pending loss of Microsoft support for Windows XP, but loss of vendor support for older versions of software certainly affects control systems. Generally, a vendor will support the current version and possibly two versions back. However, that excludes a significant amount of control system software from many vendors that is still in use in critical infrastructure applications such as Fisher Provox, Honeywell TDC2000, Westinghouse WDPF, Bailey Infi90, L&N MAX1, etc. The recent turbine loss of control incident demonstrates that problems with a vendor patch (security or other) can be more than just a nuisance but can affect operation. It can also potentially impact regulatory compliance if vendor support is no longer available. The general thought is that end-user needs to purchase a separate support package for maintaining these “obsolete” systems. The question becomes will vendors still have the in-house expertise available to address these older systems that are no longer being supported.