Re: GCHQ and Patches
Yes, I have done that. 15 years ago borked an NMR (same as MRI) machine with an update. And felt very stupid for trying to be Mr IT security. It was totally secure because nothing worked!
It took us the best part of a week to repair the power amplifier that had self destructed as a result of the 'patch'.
I'm afraid this is why most people in the science field leave things like this well enough alone.
Most of the instrument architecture is in itself utterly not secure and relies on the separation of the LAN ethernet connection to the private ethernet connection to the instrument. On the other hand what goes on inside these things is so obscure that the number of people who really truly understand the workings is absolutely tiny. I still get calls from former colleagues asking how does XYZ control ABC after 15 years away from it.
And that is the issue the number of people who understand enough of the physics and electronics and experimental needs to sort these things is measured in a few hundred on the entire planet. There are literally two labs in the UK that would really understand an NMR or MRI from one end to the other. Lots, relatively, understand the physics bit, a few understand enough of the electronics to fix bits of it and virtually nobody understands the instrument firmware.
The best solution is to remove any browsers or email clients on the instrument control computer (and anything else that is not 100% required) and then connect the XP box via a multi LAN NAS with configurable firewalls such that the SMB1 protocols can exist private side and be actively blocked on the public side and say only SMB3 be used on the public side. Sure there are other way of doing this but a Synology NAS will do that just fine for not a lot of bucks. That was the disk can be mounted virtually and see to the network and to the XP box with minimal security risk.