Why is it that we keep our mobile devices and laptops patched very regularly, but not the IoT devices surrounding us everywhere?
Logically speaking, isn’t it more important to patch devices that are on their own, doing something important at work or home?
However, the exact opposite is todayโs reality. We update our mobile devices regularly because something pops up announcing the availability of the upgrade, we give the go ahead and, in a few minutes, its done! The experience with IoT Devices is very different. Some device vendors do provide the capability to do auto-updates but typically most enterprises turn them off as those auto-updates do not know when the best time is to do the updates nor which ones to do first.
Read on to find out how AI is changing this today.
Problems to tackle
Are there updates pending? Knowing when updates are available for devices. There are too many types of IoT devices in an enterprise, each type coming from multiple vendors, various models. Also, to start with knowing the current firmware version on the device is not easy unless you have a robust asset management.
Getting the firmware bits Each vendorโs website behaves and organizes information differently. You need to navigate these to find out if there are any updates for your device+model+current version. Once you are convinced that you need to upgrade, figure out the authentication for the website to download, actually do the download of the bits, validate the checksum and transfer the file to the system from where you need to push the upgrade.
Precautions before rolling out the upgrade There are some tricky things to consider before actually pushing the bits to the devices. First is to validate the upgrade on a low risk device to ensure everything goes well. While its rare, there have been instances of updates bricking devices.
Some upgrades take multiple steps, especially if you are going from one major version to the next and your current version is not considered the bridge version. Say you are on v10.3.2 and wish to upgrade to v11.3.4, then you may first need to upgrade to the bridge version v10.4.1 before making the jump to 11.x. In some cases, there may be multiple hops, depending on how old your current version is.
Another thing to consider is compatibility of the new firmware with other devices or applications integrated with your IoT device. For eg. Video Recording/Analytics software that integrate with Surveillance cameras. Many vendors test for compatibility with other devices, and publish reports on their website. Cross-verifying for this compatibility is critical but not easy.
Last but not least, are certain rare (but possible) scenarios, where a firmware upgrade requires a factory reset. In these cases, you need to backup the device configuration before the upgrade and restore it after.
The actual rollout of upgrades It goes without saying that any fleet-wide upgrade is done in a rolling fashion, to ensure that the entire fleet isnt offline at the same time for the upgrade. The best practice is to define rings of device groups that are progressively upgraded. These are defined in such a way to avoid going completely blind in any area of the enterprise.
Last but not least is to schedule the rollout at a time, that will have the least impact on business. These are typically late at night over the weekends.
Enters AI Agents
What if AI can make this entire process very easy, without compromising on anything? How – you ask?
What you need is a cluster of AI Agents, each specializing on a particular task and all of them coordinating the whole effort among themselves.
Discovery Agent Lets start with the first AI Agent that crawls the Device Vendorโs website, say weekly, to identify any new firmware releases for the models you have. It also collects information on the vulnerabilities that are existing in the older versions, that you may be running. The severity of these vulnerabilities should help you prioritize which devices need to be upgraded first.
While doing the above, the Discovery AI Agent also collects support expiry dates for various Models. This should help you plan budget for replacing the devices.
Depending on the other device/applications you run in your environment, compatibility data is also fetched between the two.
You now get a notification something like โYou have 125 devices that are due for a firmware upgradeโ. You click that link to be taken to view the list of devices, their Model, current firmware, vulnerability count, location, purpose, etc.
You pick the devices that you want to upgrade first, review the details of target firmware version – eg. count of hops needed, is it a patch release or Long Term Support (LTS), Compatibility details, etc as mentioned earlier.
This is where you hand over the work to the next AI Agent.
Firmware Upgrade Agent This Agent takes your list for first analyze the work to be done. First it checks whether the required firmware bits are already downloaded from the Vendorโs website and if not, engages the help of the Firmware Download Agent to download the bits and validating the checksum.
Once all the bits are downloaded, the Firmware Upgrade Agent, sequences the upgrades starting with the devices that have the lowest risk (expressed using tags by you) to confirm whether the device is functional post the upgrade. If all goes well, proceed with the remaining.
Multi-step upgrades and backup/restore of configuration for factory resets are automatically handled. If any Upgrades fail, the device is rolled back to the older version (assuming the device supports it) and you get detailed logs with a root cause summary. Once the entire fleet is upgraded, you get a report on what was done, and the time taken.
You can also do a dry run to see the entire plan without actually touching a single device.
Sounds exciting? Want to see this in action? Contact us.