The long goodbye to Microsoft Windows XP Embedded

Microsoft’s extended support for Windows XP Embedded ends on January 12, 2016, and those using the system after the expiration date need to take stock of their situation with a complete system inventory to assess the systems’ support availability and where upgrades are really needed.

01/01/2016


There are those that get work done early, those that get it done on time, and those that procrastinate until every task is an emergency. Those still using Microsoft Windows XP Embedded in their industrial environments will fall into the latter category because Microsoft's extended support for Windows XP Embedded ends on January 12, 2016. The 15-year-old operating system will no longer be supported or updated, no matter how much users clamor or beg.

Companies still using Microsoft Windows XP Embedded systems in their facilities will be running into several additional risks. For example, it will be difficult to find compatible hardware and software, and it will be difficult, if not impossible, to get updates to the applications currently running, which will make the systems more vulnerable. If there are Microsoft Windows XP systems running and they can't be replaced, then take measures to reduce potential risks. What is worse is to not even know if you have any XP systems running.

It is vital to complete a software and IT hardware inventory of the entire facility, which includes far more than just the production systems. It is important to also consider your laboratory systems, maintenance systems, warehouse systems, tank farm systems, HVAC systems, physical security systems, document management systems, planning systems, and development systems. Without a complete inventory, "hidden" systems under employee's desks, which are performing critical functions, might go unnoticed. For example, is the scheduling department still using a XP-based tool, or worse: a DOS-based tool; is the laboratory using XP-based test equipment; are the automated material movement systems running XP-based configuration and maintenance software; or is the security department using an XP-based badge scanning system?

At the very minimum, a complete system inventory will make it clear if there's a potential support problem. In this situation, as said in children's cartoons, "Now you know, and knowing is half the battle." With a complete inventory, the next steps in the process are much simpler.

First, categorize the systems' support availability using the following criteria:

  • Active—The system is using the most current automation product offering by the vendor.
  • Mature—The system is using a fully supported and available product, but a more current product is available.
  • End of Life—The system is using a product that has a future end of support date from the vendor.
  • Discontinued—The system is using a product that is no longer available for support by the vendor, and replacements and support are only available from third-party suppliers.
  • Obsolete—The system is using a product where support and replacements are no longer available.

Next, categorize the systems based on their risk to production:

  • High—The system has a direct impact on product quality and is critical to site operations.
  • Medium—The system has an indirect impact on product quality and is critical to site operations.
  • Low—The system has an indirect impact on product quality and is not critical to site operations.
  • None—The system has no direct or indirect impact on product quality and no direct impact on site operations.

Combining these into a criticality matrix can help determine the priority for system replacement as shown below.

Categorizing the systems’ support availability and their risk to production can help assess whether replacing a system is a major priority or not. Courtesy: Dennis Brandl, BR&L Consulting

The worst situation is to have high risk and obsolete systems where there are no readily available replacements.

In these situations, the first step is to virtualize the hardware, which at least removes the risk of a hardware failure and provides backups in case of software failures. Second, the systems should be isolated from other networks through demilitarized zones (DMZs), firewalls, or physical separation. It is likely the Microsoft Windows XP system will be running vulnerable browsers, databases, applications, and drivers, which makes isolation even more vital. However, virtualization and isolation are only temporary fixes to give the manager time to implement long-term solutions.

Determining whether the XP-based system has been compromised is difficult. One way to test is to use the virtual machine environment to create a "canary" copy to test the security. Finally, you can apply the same method used to handle the loss of Windows NT support following the "I AM FEARLESS" approach: Isolate, Apply Major patches, Fix, Enhance, Abandon, or Retire Legacy Shop floor Systems.

Dennis Brandl is a founder and chief consultant at BR&L Consulting Inc., specializing in helping companies use Manufacturing IT to improve production, laboratory, and logistics processes. Courtesy: BR&L Consulting Inc.With extended support now over for Microsoft Windows XP Embedded and no major patches available, the term to remember is now "I FEAR"—Isolate, Fix, Enhance, Abandon, or Retire. This is an appropriate feeling for those still running mission critical systems on Microsoft Windows XP.

- Dennis Brandl is president of BR&L Consulting in Cary, N.C. His firm focuses on manufacturing IT. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, cvavra@cfemedia.com.

ONLINE extra

- See related articles by Brandl below, which discuss using a canary to test security as well as the loss of Microsoft Windows NT support.



Anonymous , 02/09/16 09:56 AM:

Interesting issue
Bob , Non-US/Not Applicable, Norway, 02/10/16 01:57 AM:

Support is over, yes but you and the microsoft people must accept that a functioning device will not be replaced due to a date! Many systems will continue to live on for years.
Luis , Ontario, Canada, 02/17/16 12:45 AM:

Interesting imformation ... must be taken with calm and understanding and care ... we shall see what to do with it ... Thanks
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Sensor-to-cloud interoperability; PID and digital control efficiency; Alarm management system design; Automotive industry advances
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me