Cyber security is going to be a big issue for plants using Windows XP once Microsoft quits offering extended support and security updates. MS quits in Windows XP beginning April 8, 2014. While this event means little to the average PC owner -- years ago we moved on to Windows 7 or 8 -- for many manufacturing and process plants, April will be the cruelest month. Plants often keep the same automation technology for 10 or 20 years.
Problem is, hackers have also marked that date. In a recent blog, Microsoft's director of trustworthy computing (honest, that's his title), Tim Rains, noted that "attackers will have the advantage over defenders who choose to run Windows XP because attackers will likely have more information about vulnerabilities in Windows XP than defenders."
According to Microsoft, when it releases a security update, security researchers and criminals will often reverse engineer the security update quickly in an effort to identify the specific section of code that contains the vulnerability addressed by the update. Once they identify this vulnerability, they attempt to develop code that will let them exploit it on systems that do not have the security update installed.
Hackers also try to identify whether the vulnerability exists in other products with the same or similar functionality. If a vulnerability is addressed in one version of Windows, these hackers will check other versions of Windows to see if they have the same vulnerability.
To make sure its customers are not at a disadvantage to attackers, the Microsoft Security Response Center releases security updates for all affected products simultaneously. This gives customers the advantage over hackers.
But after April 8, 2014, organizations that continue to run Windows XP won't have this advantage over attackers any longer. The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities, and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop code that can take advantage of those vulnerabilities.
Rains noted this will all change for Windows XP this coming April. "Since a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a zero-day vulnerability forever," said Rains, in the blog. As for how often these vulnerabilities will show up, he noted that "between July 2012 and July 2013 alone, Windows XP was affected in 45 Microsoft security bulletins, of which 30 also affected Windows 7 and Windows 8."
While the obvious solution for plants would be to upgrade to a newer Windows operating system, this could involve significant cost and interruptions. Software upgrades in an operating production network commonly encounter unintended and unanticipated consequences.
Automation vendors and security firms are offering solutions. These companies have a track record of managing antiquated automation systems. In a statement on Windows XP, the security company Innominate Security Technologies of Germany noted that "a simpler, less expensive solution has already proven successful in the automotive industry and on automated production networks using older systems from Windows 95 to Windows 2000."
Innominate's solution utilizes distributed security appliances based on the company's mGuard technology that protects non-patchable legacy systems. According to Innominate, this technology "can be installed by ordinary technicians without interrupting production, and it can be configured and launched from a central server console." The resulting advantage is a low-cost hardening of the system by a simple and transparent installation of plug-and-play modules.
For many plants, this could be a more feasible solution than shutting down the plant and installing Windows 7 or 8. While that approach is a no-brainer for an office network, it becomes a bit complicated when a number of legacy automation and control systems are tied into Windows XP.