Tuesday is a big day for many of the computer networks that run the nation’s electric power, oil and gas, water, chemical, and other vital systems dubbed “critical infrastructure” – it’s the day Microsoft’s popular but increasingly antiquated Windows XP operating system becomes permanently vulnerable to cyber-attack, experts say.
Microsoft’s decision long ago to declare WinXP at its “end of life” on April 8 means no more free security patches and other fixes flowing regularly out of its offices in Redmond, Wash. It also means a new cyber-security challenge for millions of individuals and companies worldwide that still rely on the 12-year-old WinXP system to get work done.
Windows XP will not just stop functioning, of course. Many of its users will continue right on relying on XP as they have for so long. But Microsoft’s declaration means an end to free patching for XP that will make it far easier for hackers, who will no longer need to constantly develop new malicious software to penetrate more than a quarter of all the computers on the planet.
But perhaps the sharpest challenge is faced by critical infrastructure “asset owners” who rely on XP computers to run the industrial control systems that regulate the power grid, refineries, chemical plants, and other utilities and industries vital to US economic prosperity. As it happens, many of these industrial users rarely if ever patch their WinXP work-station computers anyway – and see no need to start.
As a result of the halt in XP updates, “computer systems running unsupported software are exposed to an elevated risk to cyber-security dangers, such as malicious attacks or electronic data loss,” the Department of Homeland Security’s Industrial Control System Computer Emergency Readiness Team wrote in a March 10 alert to industrial users.
“Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements,” the alert also warns. Even so, some of those affected by federal regulations in the electric utility and chemical industries will undoubtedly seek exemptions to the rules, some experts say.
“Yes, this is a big deal, a serious threat, but a lot of our industrial clients have had only a very lackadaisical response,” says Jonathan Pollet, founder of Red Tiger Security, an industrial control system (ICS) security company. “They tell me: ‘Hey, this computer has been running XP for years. It’s not going anywhere and we’re not upgrading it anytime soon. We’ve got high firewalls to protect us.’ They just don’t feel like it’s a big issue. But they’re wrong.”
Nobody knows just how widespread WinXP is through critical infrastructure industries worldwide, but there’s a lot out there. Mr. Pollet estimates that about half of his clients are still running vital systems on an operating system that now has a bulls eye painted on it by cyber-spies, criminals, and warriors worldwide.
“The main issue with XP is that basically it’s in a forever-vulnerable state now – no patches,” Pollet adds. “The exploits, all those attack profiles, are going to be effective and work 100 percent of the time.”
Others say the demise of WinXP, which has been dubbed tongue-only-slightly-in-cheek as the “XPocalypse,” does not matter that much. But that’s only because losing the ability to patch systems that were not being patched anyway does really not increase the security threat, they say.
Dale Peterson, founder and CEO of Digital Bond, an industrial control systems security company in Sunrise, Fla., calls many news reports and worries about WinXP’s impact on industrial control systems “wildly overblown.”
But that’s mostly because so little patching of vulnerable WinXP systems was going on before Microsoft pulled the plug, he writes in his blog.
“It doesn’t matter if security patches exist or not if you are not going to apply them even as infrequently as annually,” Mr. Peterson writes. “The fact that Microsoft is not issuing patches doesn’t change their security posture one bit.”
In fact, some critical infrastructure asset owners “secretly are happy” about this because they now have an excuse why they can’t patch. Yet that just underscores how vulnerable the nation’s critical infrastructure already is, he notes.
“Owner/operators need to come to grips with the fact they are running mission critical” industrial control system networks, Peterson writes.
Much of the problem stems from the fact that patching industrial systems is difficult and costly – and sometimes just isn’t possible. With the end of XP updates, many industrial control system software vendors also may not even offer upgrades to enable vital software to work with higher, more secure Windows 7 or 8. Or, if they do, vendors often want to charge millions to upgrade software across the board, Pollet says.
While that’s not a deterrent for large companies with significant budgets, smaller companies face a range of difficult options, including vendors still selling vulnerable software based on XP, says Adam Crain, a partner in Automatak, a security-focused ICS developer in Raleigh, N.C.
“I don’t think XP’s demise changes our risk, because we already had a high level of risk because of the patching situation,” he says. “We aren’t seeing a lot of attacks yet mainly because there isn’t a financial motivation for that yet. I don’t see it significantly elevating the risk because of all the other things we’re not doing.”
Sean McBride, director of analysis, for Critical Intelligence, an Idaho Falls firm that tracks industrial control threats, says his firm has seen an increase in overall ICS malware threats, with 11 actual attacks on ICS companies last year – many of those energy companies – and 15 additional attacks that could affect such systems.
“We know adversaries are interested in industrial control systems, and the fact they’re vulnerable, unpatched and no longer supported operating system – that doesn’t bode well,” he says.