Weak spot
6 May 2014
Last month marked the end of technical support for Microsoft’s Windows XP operating system. Robert Smith investigates the security risks for process plants running control systems on the XP platform.
As of the 8th April 2014, support for Windows XP effectively ended. This means that there will no longer be any security updates or technical support patches from Microsoft.
But what does that really mean?
According to an online statement released by Microsoft, which featured an ‘end-of-life’ countdown clock, “it means you should take action”.
In the past, when a vulnerability was detected on Windows XP, Microsoft would issue system patches to protect PC users and their data.
This type of technical support is still available through Microsoft’s supported OS platforms, such as Windows 7 and 8.
However, for those who continue to run Windows XP, Microsoft will not provide any support for any new vulnerabilities that are found, which could lead to an increase in hacking and system exploitation.
Having already been dubbed “the zombie operating system” and “the Y2K bug for the critical infrastructures environment”, the risk factor for those still operating Windows XP is now thought to be reaching its peak.
“Tomorrow morning, for example, we manage to find a major vulnerability that can exploit every Windows XP system across the world – which in the past would have been fine as we could just patch it and update our systems,” says McAfee EMEA vice president & chief technology officer Raj Samani.
“But now there are no patches. And as time passes and as more vulnerabilities are found, you will have systems that will be vulnerable and quite frankly that can be exploited.”
Firms are therefore being urged to look at a number of security and migration options to help protect their systems against exploits and are being advised to determine what assets they have, and determine which of those assets are run via Windows XP.
According to Honeywell Process Solutions’ global cyber security business leader Jeff Zindel: “Industrial organisations failing to implement a migration or contingency plan for control systems running on an OS that Microsoft no longer supports could face safety, reliability and regulatory compliance issues affecting their overall business performance.
“No more patches or support for Windows XP provides a compelling reason for all process industries to migrate. Because now they have introduced greatly increased risk in the security area that were not of as great concern prior to XP end-of-life. Damages can range from loss of view or equipment failure, to the greater extreme of loss of plant assets or lives. There is great risk to company reputation, as well as financial exposure.”
Fortunately, users in the process sectors have an advantage over personal or home users in that much of their control systems are isolated and cut-off from external access.
“A company’s security vulnerability situation depends very much on how their systems have been installed,” says Emerson Process Management marketing product manager for system security Bob Huba.
To read the full article, please download the related files above.
