One strategy for the passing of Windows XP

Cyber security expert offers advice for finding one silver lining in the passing of support for Microsoft Windows XP. It might get companies to face larger realities.


Flash is required!

Matt Luallen offers advice on Windows XP as he gets ready for his class at DePaul University.

Matt Luallen offers advice on Windows XP as he gets ready for his class at DePaul University.Microsoft has allowed Windows XP to move onto the too-old-to-support list, and the world is still turning and those computers still work. There are many industrial users that still depend on XP, just as there are many business-IT systems that have never upgraded.

XP continues to work but its obsolescence means that Microsoft will cease offering patches for vulnerabilities in the program. (The fact that vulnerabilities are still being found after all these years is an interesting point in itself.) Some vulnerabilities may prove to be exploitable by cyber criminals, and there will be no mechanism to fix them in the actual code. Zero-day vulnerabilities become forever-day vulnerabilities. (Read an earlier article on different types of vulnerabilities.)

In the video, Matt Luallen points out that in a typical industrial environment, there are potentially many cyber assets that share this problem. There are all sorts of devices that are not patched or cannot be patched. The key to dealing with those devices and platforms, and now XP is added to the list with all the earlier versions of Windows that are also still running in many environments, is minimizing their exposure. Keep what you need, and get rid of everything else. This advice is nothing new. It’s part and parcel of performing a vulnerability assessment, and you should be doing this sort of thing regularly. (Read an earlier article on vulnerability assessment.)

Will this situation cause companies to face up to what’s really happening and launch a more complete cyber security assessment? Let’s hope so. If you’re trying to make this happen within your own company, it’s something you can use as leverage.

Matt Luallen has prepared a comprehensive video course on cyber security for Control Engineering.

Peter Welander,

Anonymous , 04/17/14 12:03 PM:

Though this topic is only superfically addressed in this article It is valuable in that it gives one a "heads up" to the fact that certain vulnerbilities may lurk in our systems. It may be time to do a bit of "house cleaning".
Anonymous , 04/17/14 12:14 PM:

One aspect in the do I upgrade or not that is often overlooked is the availability of spare PC parts. Especially for systems with dedicated function cards, getting a replacement can be a problem. This often drives the question beyond the security space to include the overall reliability and supportability of the system.
Anonymous , 04/21/14 12:42 PM:

The Stuxnet virus attack should have raised concerns in the industrial world, but was met mostly with inaction. This is typical. Until there is an immediate crisis or government regulations, upper management sees no problem to solve. Windows is such a "house of cards" that it is hard to know what services running are essential or where they even came from.

This "we see no problem" mentality has led to some significant historical slap-downs. The Three Mile Island incident happened shortly after the movie China Syndrome, almost per script, after assurances from managers it could never happen. Fukushima's loss of diesel generators was similar. Industrial attacks can be as devastating as any bombings of populations. What would happen to America's sprawling suburbs without gasoline and transportation?
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Choosing controllers: PLCs, PACs, IPCs, DCS? What's best for your application?; Wireless trends; Design, integration; Manufacturing Day; Product Exclusive
Variable speed drives: Smooth, efficient, electrically quite motion control; Process control upgrades; Mobile intelligence; Product finalists: Vote now; Product Exclusives
Machine design tips: Pneumatic or electric; Software upgrades; Ethernet advantages; Additive manufacturing; Engineering Leaders; Product exclusives: PLC, HMI, IO
This article collection contains the 5 most referenced articles on improving the use of PID.
Learn how Industry 4.0 adds supply chain efficiency, optimizes pricing, improves quality, and more.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security