We are now in the final month of Microsoft offering support for its Windows XP operating system, which presents a new security challenge for the great many control systems still running XP. Without support, XP control systems will not receive regular security updates, making them susceptible to cyberattacks. Control systems running older versions of XP will of course be no less secure than they already are.
This shouldn’t be news to any utilities using Windows XP, as Microsoft is pretty transparent about the Windows lifecycle (Set your calendars now for April 11, 2017, Windows Vista users, however few of you are.) Despite knowing that support is ending, laggards among control system vendors are still shipping new products on Windows XP, demonstrating an “if it ain’t broke, don’t fix it” attitude. Well, Windows XP is now officially broken.
Utilities aren’t exactly early adopters when it comes to new operating systems — and with good reason. With every new operating system comes a host of bugs and glitches that put reliability-critical and safety-critical systems at risk. When Windows 8 was released, the control system world watched and learned as corporate information technology (IT) teams struggled with it while the kinks were ironed out. Only once a technology is proven and the reliability risks well-understood do we start seeing industrial customers begin to deploy the technology. This shaves at least a few years off the lifespan of operating systems in the industrial world compared with the corporate world.
This has long been a problem with no simple solution and reflects a larger debate surrounding the issue. Upgrading an industrial control system to the latest operating system is generally impossible, as the old version of software generally does not run the same (or run at all) on a new operating system. Regularly upgrading to new versions of control system software is often cost-prohibitive, due to the resources needed to test a change that big. The testing cost of installing regular security updates at all is prohibitive in complex environments with serious safety and reliability concerns.
For the foreseeable future, and very possibly indefinitely, a great many control systems will continue to suffer from a very “soft interior” security-wise. Compensating measures in the form of strong physical security perimeters and strong cybersecurity perimeters continue to be far more important in preventing attacks to control system networks than these measures are important to corporate IT networks. One compensating measure we see being deployed ever more widely is hardware-enforced Unidirectional Security Gateways, which allow business-critical industrial data to flow in one direction out of a protected network, without any chance of an attack getting back in through the equipment.
The day is upon us. If our control system has a soft interior, we had better put a hard shell around that interior if we want to stay safe.
Read more about how Unidirectional Security Gateways can protect critical infrastructures.