Microsoft Windows XP EOS: What manufacturers need to know

Ask Control Engineering: What do I need to know about end of service (EOS) for Microsoft Windows XP, and what should I consider going forward? See 5 areas impacting cyber security, production reliability, and quality. Alert organizations have been migrating away from Windows XP; Microsoft may still provide limited support for companies that pay for extended support, costing at least $100,000 per year.

05/21/2014


There has been much talk lately about the end of lifecycle issue related to the Microsoft Windows XP operating system (OS). In fact, for the past year, Microsoft has been reminding folks that on April 8, 2014, it would officially end extended support for the Windows XP operating system (OS).

For more than 12 long years Windows XP has been a stable and significant workhorse of an operating system. Not only for enterprise-wide desktop PCs, you may be surprised to find out Windows XP is heavily used in industrial applications including ruggedized PCs (such as human machine interface HMI computers, programming stations, and engineering laptops) as well as embedded computers used in thousands of devices that control and monitor many factory automation and process control operations; and power, water and transportation infrastructure.

Cumulating effects over time

What does this mean?

For starters, end to extended support for Windows XP refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. It doesn't mean Windows XP will stop working; it means Microsoft will no longer release security updates and "hot fixes" that were routinely made available for the very popular Windows XP OS before April 8, 2014.

Leaving Windows XP unsupported will expose users to a growing risk as the number and severity of security exploits grow, and continued support, if any, from Microsoft will be costly. Time will make even clearer that the quantity of serious security exploits for Windows XP is likely to increase rapidly as soon as Microsoft stops delivering security updates.

Consider this fact: 70% of Microsoft's security bulletins in 2013 affected XP, and there is no reason to assume that this will change (unless it increases) in the near future.

And while Microsoft may still provide limited support for companies that pay for extended support-an option that costs at least $100,000 per year-alert organizations should develop a plan to migrate away from Windows XP.

Reduce risk: Fix before it breaks

This simplified drawing of an industrial network shows some points of vulnerability and protection. Courtesy: BeldenHow does this impact industrial users? For industrial users, migration from Windows XP is more complicated than at the enterprise level.

Critical infrastructure and industrial plants use complex networks of computers, PLC controllers, remote terminal units, and other specialized equipment. These mission-critical networks are designed, deployed, and managed with a razor-sharp focus on safety, reliability, and "up" time; outages of even just a few minutes are unacceptable. The reason for this is simple: any type of plant outage has an immediate and very significant financial impact on its owner. For many plants, the cost of an outage can easily be hundreds of thousands of dollars per hour. In addition, many of these industrial facilities include safety-critical processes which could put the lives of their employees or the surrounding communities at risk, or cause significant environmental impact, if not managed properly.

This creates a set of operating conditions and priorities that is very different from that in a typical IT or enterprise network. The prevailing mind-set in the plant is "if it ain't broke, don't fix it." Once a plant control system has been tested and commissioned, the engineers are very reluctant to make any changes to a working facility, and for good reason.

It is perhaps not widely known, but Windows XP is everywhere in today's industrial plants and factories. Numerous industrial control and supervisory control and data acquisition (SCADA) systems use Windows XP in their operator displays, human machine interfaces (HMIs), engineering laptops, and programming stations. Many plants use specialized application software which in many cases can't natively run, or hasn't been thoroughly tested on any operating system but Windows XP.

Windows XP also shows up in another form called "Windows XP Embedded." This is a lighter-weight version of Windows XP that was developed by Microsoft for use in branded OEM devices and systems such as machine tools, instrumentation, and operator interface terminals. Since these devices are not "computers" in the traditional sense of the word, their owners may not even be aware that Windows XP is running inside them, and that they therefore present the same security risk as an XP desktop or laptop computer. Even with awareness that such devices use Windows XP or Windows XP Embedded, there is typically no practical way to upgrade or patch them without completely replacing them. [Support on Windows XP Embedded is scheduled to end Jan. 12, 2016.] 

Downtime and security

The Windows XP EOL places industrial users in a very uncomfortable position. The risk of security issues and resultant downtime will steadily increase over time after the EOS, and yet the cost of upgrading or replacing XP-based systems (particularly the cost of the associated plant shutdown) is often prohibitive. What should you consider going forward?

First, realize that you must secure your devices, the network, and its operation. While you may not immediately have vulnerabilities, the longer you wait after April 8, 2014, the more susceptible your operation will become because of the EOS of Windows XP.

Most industrial firms that choose to migrate to a new operating system know it takes planning and time (usually 12-24 months for a complete change out) to ensure everything works as it should once it's put back together. How can you improve your migration success factors? 

5 key challenges at end of service

Start by creating an inventory of XP and non-XP assets in your plant network, and then identifying five (5) areas that usually present the biggest challenges. These are:

  1. Application compatibility problems
  2. Time available to perform migration and conflicts with other operational/IT initiatives 
  3. User training and support required after migration
  4. Lost productivity during migration
  5. Issues with repackaging, remediating, and deploying applications.

Create a plan, provide the right budget, and assign folks who can focus on the task of getting it right. Remember, it won't get done overnight.

For those devices that cannot be migrated from XP to a supported platform, or to provide immediate mitigation while you deploy your longer-term plan of migrating from Windows XP, you may want to apply "compensating devices," such as industrial firewalls. These devices can be easily configured to block network traffic that can exploit vulnerabilities in your XP systems, while still allowing them to perform their primary functions without interruption.

Many times an outside firm can help. Find and work with a "trusted advisor," someone you know who understands the technology and subject matter, and brings industrial solutions, certified in locking down industrial networks.

- Frank Williams is senior manager, Belden Cyber Security Initiative. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering, mhoske(at)cfemedia.com[Ask Control Engineering blog asked providers of Microsoft applications to help with this answer. Today's answers came from Belden.]

Go Online

Ask Control Engineering blog has more information and links to related Microsoft Windows XP advice.

Key concepts

  • Microsoft Windows XP support ended on April 8, 2014.
  • Risk of cyber security issues increase over time.
  • Resources are available to protect existing assets and migrate to other options.

Consider this

If you're still using Microsoft Windows XP without a clear plan for protection and migration, how will you explain to customers, employees, and others when a cyber security breach and outage results?

ONLINE extra

Below see related cyber security articles on end of service for Microsoft Windows XP.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.