An inside look at Heliotropic Systems’ operations.
I spend a significant amount of time every month learning about new and improved technology and products from the vendors with which I partner. These vendors include familiar names such as Lenovo, SonicWall, Xerox, APC by Schneider Electric, SentinelOne, and Microsoft. Most of the solutions I obtain from these vendors are designed to help keep you secure while using your computers and network devices.
In the middle of September, I took a mere moment to look up an existing part number. I ended up spending more than 12 hours consuming a ton of new information to offer a more secure business solution. Let me explain.
I keep extensive lists of all hardware components for each of my small business clients. One of those components is a Network Management Card (NMC) found in higher-end APC UPS battery backup devices. NMCs manage, maintain, and report on the condition of the UPS device to which they are connected. I program NMCs to send email alerts when conditions differ from normal (e.g., electrical issues, or battery problems). I also use them to update the device’s firmware with security enhancements.
I was adding new equipment to one client’s Excel spreadsheet, and in doing so, pulled up the corresponding page in another client’s spreadsheet to copy over as a template. I noticed I had not filled in one attribute on the existing spreadsheet, so I logged into that client’s server, pulled up the component in a browser, and highlighted the attribute to copy it to the clipboard. As I did, I noticed that I had not rebooted the network device for more than one year.
That was very strange because I thought I had an Outlook reminder to update the firmware of these devices annually. It should have kicked off at the start of June. But after I looked through Outlook and confirmed the calendar entry, I reviewed my daily activity logbook and discovered I had not done the work. Several issues interrupted my day, and I lost track of the task. (Yes, I admit, that was very sloppy, and I’m pretty embarrassed about it.)
So, off I went to the vendor’s website to obtain the latest firmware. I pulled up the product page and was astonished when I found the part was labeled “Obsolete – End of Life.” It was incredibly annoying that I did not know about the change. I stared at the page for a while, wondering: How could I have missed that announcement?
The vendor is APC by Schneider Electric, and I have been a partner since shortly after I started servicing home users and small business owners in 2008. I called APC Partner Tech Support and asked to speak with someone about the change. Here’s what I learned.
In September 2018, the California State legislature introduced SB-327, which became effective on January 1, 2020. That law describes how organizations must control and manage Internet of Things devices. Specifically, it states that device manufacturers must:
equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
As a result of this law, APC had to find a way to ensure their Network Management Cards were compliant, because it was considered an IOT device. After considerable research, APC determined they would have to create an entirely new version of these cards. Thus, in October 2019, they announced new NMC3 cards. In addition to the change in hardware, APC also launched a new cloud-based service to monitor and manage all versions of NMC cards. This tool provides a single pane of glass view of all client sites and the devices they own, thus ensuring the components were up-to-date and secure.
One year later, in October 2020, APC announced the end of life of the NMC2 cards. (This is the announcement about which I was never notified.) As of that date, the clock started ticking for the last security update to NMC2 cards before they would be considered officially “end of life” in October 2022 — when I can no longer support them.
It has taken me more than two weeks to obtain the requisite information about the new cards, find out that there is no direct migration path to go from NMC2 to NMC3, and work with various APC technical teams to plan an appropriate migration scheme. Based on my phone conversations, Microsoft Teams meetings, and emails with APC technical support, it should take approximately one month to manually obtain the existing NMC2 card settings and build the commensurate NMC3 card settings per client site. My primary objective will be to maintain the current settings; a secondary goal will be to enable all the security settings that come with the new cards.
I cannot recall when I have announced a mandatory change in hardware almost a year in advance, nor can I recall implementing new software with less than a week’s warning. However, these changes are very unusual.
Announcement 1: I must replace all existing NMC2 cards with new NMC3 cards before next October. I realize that is quite a long time away, but I am announcing my summer 2022 activities now because multiple clients are affected. I want to give everyone the earliest possible notice — especially with the logistics problems I am encountering while trying to obtain computer equipment.
Announcement 2: I must implement the cloud-based monitoring service for each client that has these cards. It will provide me with a closer look at the condition, and more importantly, the age of the batteries and UPS devices I have installed at those sites. This is a giant technological leap from the Excel spreadsheets and scripts I currently use to manage and maintain this information. The downside, of course, is that there is a monthly fee for this offering. I understand that having additional costs is not something most small business owners want, especially now. Because this change is occurring at the “last minute,” I am going to waive the monthly software fee for the first month; billing will commence in November.
Further updates on the status of the new cards as well as available reports from the new software will appear in future newsletters.
Thanks, and safe computing!