One strategy for the passing of Windows XP

Cyber security expert offers advice for finding one silver lining in the passing of support for Microsoft Windows XP. It might get companies to face larger realities.


Flash is required!

Matt Luallen offers advice on Windows XP as he gets ready for his class at DePaul University.

Matt Luallen offers advice on Windows XP as he gets ready for his class at DePaul University.Microsoft has allowed Windows XP to move onto the too-old-to-support list, and the world is still turning and those computers still work. There are many industrial users that still depend on XP, just as there are many business-IT systems that have never upgraded.

XP continues to work but its obsolescence means that Microsoft will cease offering patches for vulnerabilities in the program. (The fact that vulnerabilities are still being found after all these years is an interesting point in itself.) Some vulnerabilities may prove to be exploitable by cyber criminals, and there will be no mechanism to fix them in the actual code. Zero-day vulnerabilities become forever-day vulnerabilities. (Read an earlier article on different types of vulnerabilities.)

In the video, Matt Luallen points out that in a typical industrial environment, there are potentially many cyber assets that share this problem. There are all sorts of devices that are not patched or cannot be patched. The key to dealing with those devices and platforms, and now XP is added to the list with all the earlier versions of Windows that are also still running in many environments, is minimizing their exposure. Keep what you need, and get rid of everything else. This advice is nothing new. It’s part and parcel of performing a vulnerability assessment, and you should be doing this sort of thing regularly. (Read an earlier article on vulnerability assessment.)

Will this situation cause companies to face up to what’s really happening and launch a more complete cyber security assessment? Let’s hope so. If you’re trying to make this happen within your own company, it’s something you can use as leverage.

Matt Luallen has prepared a comprehensive video course on cyber security for Control Engineering.

Peter Welander,

Anonymous , 04/17/14 12:03 PM:

Though this topic is only superfically addressed in this article It is valuable in that it gives one a "heads up" to the fact that certain vulnerbilities may lurk in our systems. It may be time to do a bit of "house cleaning".
Anonymous , 04/17/14 12:14 PM:

One aspect in the do I upgrade or not that is often overlooked is the availability of spare PC parts. Especially for systems with dedicated function cards, getting a replacement can be a problem. This often drives the question beyond the security space to include the overall reliability and supportability of the system.
Anonymous , 04/21/14 12:42 PM:

The Stuxnet virus attack should have raised concerns in the industrial world, but was met mostly with inaction. This is typical. Until there is an immediate crisis or government regulations, upper management sees no problem to solve. Windows is such a "house of cards" that it is hard to know what services running are essential or where they even came from.

This "we see no problem" mentality has led to some significant historical slap-downs. The Three Mile Island incident happened shortly after the movie China Syndrome, almost per script, after assurances from managers it could never happen. Fukushima's loss of diesel generators was similar. Industrial attacks can be as devastating as any bombings of populations. What would happen to America's sprawling suburbs without gasoline and transportation?