One strategy for the passing of Windows XP

Cyber security expert offers advice for finding one silver lining in the passing of support for Microsoft Windows XP. It might get companies to face larger realities.


Flash is required!

Matt Luallen offers advice on Windows XP as he gets ready for his class at DePaul University.

Matt Luallen offers advice on Windows XP as he gets ready for his class at DePaul University.Microsoft has allowed Windows XP to move onto the too-old-to-support list, and the world is still turning and those computers still work. There are many industrial users that still depend on XP, just as there are many business-IT systems that have never upgraded.

XP continues to work but its obsolescence means that Microsoft will cease offering patches for vulnerabilities in the program. (The fact that vulnerabilities are still being found after all these years is an interesting point in itself.) Some vulnerabilities may prove to be exploitable by cyber criminals, and there will be no mechanism to fix them in the actual code. Zero-day vulnerabilities become forever-day vulnerabilities. (Read an earlier article on different types of vulnerabilities.)

In the video, Matt Luallen points out that in a typical industrial environment, there are potentially many cyber assets that share this problem. There are all sorts of devices that are not patched or cannot be patched. The key to dealing with those devices and platforms, and now XP is added to the list with all the earlier versions of Windows that are also still running in many environments, is minimizing their exposure. Keep what you need, and get rid of everything else. This advice is nothing new. It’s part and parcel of performing a vulnerability assessment, and you should be doing this sort of thing regularly. (Read an earlier article on vulnerability assessment.)

Will this situation cause companies to face up to what’s really happening and launch a more complete cyber security assessment? Let’s hope so. If you’re trying to make this happen within your own company, it’s something you can use as leverage.

Matt Luallen has prepared a comprehensive video course on cyber security for Control Engineering.

Peter Welander,

Anonymous , 04/17/14 12:03 PM:

Though this topic is only superfically addressed in this article It is valuable in that it gives one a "heads up" to the fact that certain vulnerbilities may lurk in our systems. It may be time to do a bit of "house cleaning".
Anonymous , 04/17/14 12:14 PM:

One aspect in the do I upgrade or not that is often overlooked is the availability of spare PC parts. Especially for systems with dedicated function cards, getting a replacement can be a problem. This often drives the question beyond the security space to include the overall reliability and supportability of the system.
Anonymous , 04/21/14 12:42 PM:

The Stuxnet virus attack should have raised concerns in the industrial world, but was met mostly with inaction. This is typical. Until there is an immediate crisis or government regulations, upper management sees no problem to solve. Windows is such a "house of cards" that it is hard to know what services running are essential or where they even came from.

This "we see no problem" mentality has led to some significant historical slap-downs. The Three Mile Island incident happened shortly after the movie China Syndrome, almost per script, after assurances from managers it could never happen. Fukushima's loss of diesel generators was similar. Industrial attacks can be as devastating as any bombings of populations. What would happen to America's sprawling suburbs without gasoline and transportation?
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me