On October 14th, Windows 10 will be retired, and Microsoft will no longer push patches or updates to systems on that operating system.
It is crucial for companies to make the jump to Windows 11 now—or risk being exposed to critical vulnerabilities. This is especially important for Industrial Control Systems (ICS), which often run on legacy systems.
Failing to transition could mean putting components like PLCs (Programmable Logic Controllers), SCADA (Supervisory Control and Data Aquisition) systems, HMIs (Human-Machine Interfaces) and the critical infrastructure they support at risk.
What Retiring Windows 10 Means for Users
After the retirement date, Windows 10 users will no longer receive bug fixes or Microsoft support for technical issues affecting the stability, security, or usability of their machines. The affected Windows 10, version 22H2 editions include: Home, Pro, Enterprise, Education, and IoT Enterprise, according to the company’s message center update.
For those that want to keep Windows 10 running with full support beyond the deadline, a couple of options are available. They can:
Enroll in the Extended Security Updates (ESU) program for $61 per month, or for free if they enable Windows Backup or use Microsoft Rewards points to enroll. This option is also available for Windows 10 devices that access Windows 11 Cloud PCs via Virtual Machines and Windows 365.
Transition to LTSC (Long-Term Servicing Channel) Releases, designed to support specialized devices such as those supporting medical and industrial equipment. These Windows and Windows Server versions favor a longer lifecycle of security updates and stability, in lieu of frequent feature updates, and extend as far as 2029.
This decision comes in a point when Windows 11 installs have tipped the scales, running on 53% of all Windows Systems according to Statcounter Global Stat, compared with only 47% on Windows 10.
What This Means for Industrial Control Systems and Industrial Environments
Industrial environments are rife with Industrial Control Systems still operating on legacy technologies and Windows 10 is one more addition to that long list. As CISA notes, these original tools and protocols were “due to their original design priorities, which focused on operability and reliability rather than cybersecurity.”
Priorities have obviously changed since then, and the risk that legacy systems now introduce to industrial and critical infrastructure environments is unsustainable. A recent survey indicated that 43% of OT and ICS decision-makers reported cyber incidents on their legacy OT systems within the past twelve months.
Outdated legacy systems, unmoored from regular patches and updates, present a critical entry point for attackers and put the entire network at risk. Now, AI makes the task of finding vulnerabilities within these systems even easier – and as much as 62% faster. As noted on a recent article on CSO, “AI can be used to quickly learn what types of emails are being rejected or opened, and in turn modify its approach to increase phishing success rate.”
Running an outdated Windows 10 does more than put industrial environments a bit behind—it leaves them exponentially more unprotected in the era of AI than they would have been at any other time.
The Importance of Asset Inventory
Critical infrastructure organizations would do well to take stock of their assets and see how many workstations will be affected by the Windows 10 retirement. But the practice shouldn’t stop there.
IT asset discovery is the first step to network transparency, and uses automation to identify, catalog, and monitor the IT assets (both software and hardware) in your environment.
Teams can do this with Tripwire Data Collector (TDC), an extension that allows Fortra's Tripwire Enterprise (TE) to assess compliance and look for changes on industrial devices, integrating with a range of intermediary industrial software packages to gather configuration data and more with a proprietary “no touch” approach.
Securing Legacy Industrial Control Systems with Security Configuration Management
While some industrial organizations will make the switch, others will take on the task in a more phased approach. To cover security gaps in the interim, it is vital to add additional layers of defense.
Fortra’s Security Configuration Management (SCM) is another key solution to ensure compliance and configuration alignment on legacy industrial systems. With Fortra’s Tripwire, organizations will be able to define acceptable parameters and security baselines, then monitor when device policies and changes step beyond that boundary, pulling them back into compliance again.
Attackers can just as easily enter through a configuration error as through a Microsoft software vulnerability that was present when it shipped.
Transitioning to Windows 11 will definitely keep critical infrastructure organizations on the safe side of the line where Microsoft-side fixes and updates are concerned. But without additional tools from Fortra, those same companies will be left open to different, and just as dangerous, attacks.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
