Microsoft Windows XP EOS: What manufacturers need to know
There has been much talk lately about the end of lifecycle issue related to the Microsoft Windows XP operating system (OS). In fact, for the past year, Microsoft has been reminding folks that on April 8, 2014, it would officially end extended support for the Windows XP operating system (OS).
For more than 12 long years Windows XP has been a stable and significant workhorse of an operating system. Not only for enterprise-wide desktop PCs, you may be surprised to find out Windows XP is heavily used in industrial applications including ruggedized PCs (such as human machine interface HMI computers, programming stations, and engineering laptops) as well as embedded computers used in thousands of devices that control and monitor many factory automation and process control operations; and power, water and transportation infrastructure.
Cumulating effects over time
What does this mean?
For starters, end to extended support for Windows XP refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. It doesn’t mean Windows XP will stop working; it means Microsoft will no longer release security updates and "hot fixes" that were routinely made available for the very popular Windows XP OS before April 8, 2014.
Leaving Windows XP unsupported will expose users to a growing risk as the number and severity of security exploits grow, and continued support, if any, from Microsoft will be costly. Time will make even clearer that the quantity of serious security exploits for Windows XP is likely to increase rapidly as soon as Microsoft stops delivering security updates.
Consider this fact: 70% of Microsoft’s security bulletins in 2013 affected XP, and there is no reason to assume that this will change (unless it increases) in the near future.
And while Microsoft may still provide limited support for companies that pay for extended support-an option that costs at least $100,000 per year-alert organizations should develop a plan to migrate away from Windows XP.
Reduce risk: Fix before it breaks
How does this impact industrial users? For industrial users, migration from Windows XP is more complicated than at the enterprise level.
Critical infrastructure and industrial plants use complex networks of computers, PLC controllers, remote terminal units, and other specialized equipment. These mission-critical networks are designed, deployed, and managed with a razor-sharp focus on safety, reliability, and "up" time; outages of even just a few minutes are unacceptable. The reason for this is simple: any type of plant outage has an immediate and very significant financial impact on its owner. For many plants, the cost of an outage can easily be hundreds of thousands of dollars per hour. In addition, many of these industrial facilities include safety-critical processes which could put the lives of their employees or the surrounding communities at risk, or cause significant environmental impact, if not managed properly.
This creates a set of operating conditions and priorities that is very different from that in a typical IT or enterprise network. The prevailing mind-set in the plant is "if it ain’t broke, don’t fix it." Once a plant control system has been tested and commissioned, the engineers are very reluctant to make any changes to a working facility, and for good reason.
It is perhaps not widely known, but Windows XP is everywhere in today’s industrial plants and factories. Numerous industrial control and supervisory control and data acquisition (SCADA) systems use Windows XP in their operator displays, human machine interfaces (HMIs), engineering laptops, and programming stations. Many plants use specialized application software which in many cases can’t natively run, or hasn’t been thoroughly tested on any operating system but Windows XP.
Windows XP also shows up in another form called "Windows XP Embedded." This is a lighter-weight version of Windows XP that was developed by Microsoft for use in branded OEM devices and systems such as machine tools, instrumentation, and operator interface terminals. Since these devices are not "computers" in the traditional sense of the word, their owners may not even be aware that Windows XP is running inside them, and that they therefore present the same security risk as an XP desktop or laptop computer. Even with awareness that such devices use Windows XP or Windows XP Embedded, there is typically no practical way to upgrade or patch them without completely replacing them. [Support on Windows XP Embedded is scheduled to end Jan. 12, 2016.]
Downtime and security
The Windows XP EOL places industrial users in a very uncomfortable position. The risk of security issues and resultant downtime will steadily increase over time after the EOS, and yet the cost of upgrading or replacing XP-based systems (particularly the cost of the associated plant shutdown) is often prohibitive. What should you consider going forward?
First, realize that you must secure your devices, the network, and its operation. While you may not immediately have vulnerabilities, the longer you wait after April 8, 2014, the more susceptible your operation will become because of the EOS of Windows XP.
Most industrial firms that choose to migrate to a new operating system know it takes planning and time (usually 12-24 months for a complete change out) to ensure everything works as it should once it’s put back together. How can you improve your migration success factors?
5 key challenges at end of service
Start by creating an inventory of XP and non-XP assets in your plant network, and then identifying five (5) areas that usually present the biggest challenges. These are:
- Application compatibility problems
- Time available to perform migration and conflicts with other operational/IT initiatives
- User training and support required after migration
- Lost productivity during migration
- Issues with repackaging, remediating, and deploying applications.
Create a plan, provide the right budget, and assign folks who can focus on the task of getting it right. Remember, it won’t get done overnight.
For those devices that cannot be migrated from XP to a supported platform, or to provide immediate mitigation while you deploy your longer-term plan of migrating from Windows XP, you may want to apply "compensating devices," such as industrial firewalls. These devices can be easily configured to block network traffic that can exploit vulnerabilities in your XP systems, while still allowing them to perform their primary functions without interruption.
Many times an outside firm can help. Find and work with a "trusted advisor," someone you know who understands the technology and subject matter, and brings industrial solutions, certified in locking down industrial networks.
– Frank Williams is senior manager, Belden Cyber Security Initiative. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering, email@example.com. [Ask Control Engineering blog asked providers of Microsoft applications to help with this answer. Today’s answers came from Belden.]
Ask Control Engineering blog has more information and links to related Microsoft Windows XP advice.
- Microsoft Windows XP support ended on April 8, 2014.
- Risk of cyber security issues increase over time.
- Resources are available to protect existing assets and migrate to other options.
If you’re still using Microsoft Windows XP without a clear plan for protection and migration, how will you explain to customers, employees, and others when a cyber security breach and outage results?
Below see related cyber security articles on end of service for Microsoft Windows XP.