海角大神

Windows XP 'end of life' exposes vital industries to risk. Where's the panic?

With a halt in Windows XP updates, 'systems running unsupported software are exposed to an elevated risk to cyber-security dangers,' the DHS alerted industrial users, many of which never patch their computers anyway.

Tuesday is a big day for many of the computer networks that run the nation鈥檚 electric power, oil and gas, water, chemical, and other vital systems dubbed 鈥渃ritical infrastructure鈥� 鈥� it鈥檚 the day Microsoft鈥檚 popular but increasingly antiquated Windows XP operating system becomes permanently vulnerable to cyber-attack, experts say.

Microsoft鈥檚 decision long ago to declare WinXP at its 鈥渆nd of life鈥� on April 8 means no more free security patches and other fixes flowing regularly out of its offices in Redmond, Wash. It also means a new cyber-security challenge for millions of individuals and companies worldwide that still rely on the 12-year-old WinXP system to get work done.

Windows XP will not just stop functioning, of course. Many of its users will continue right on relying on XP as they have for so long. But Microsoft鈥檚 declaration means an end to free patching for XP that will make it far easier for hackers, who will no longer need to constantly develop new malicious software to penetrate more than a quarter of all the computers on the planet.

But perhaps the sharpest challenge is faced by critical infrastructure 鈥渁sset owners鈥� who rely on XP computers to run the industrial control systems that regulate the power grid, refineries, chemical plants, and other utilities and industries vital to US economic prosperity. As it happens, many of these industrial users rarely if ever patch their WinXP work-station computers anyway 鈥� and see no need to start.

As a result of the halt in XP updates, 鈥渃omputer systems running unsupported software are exposed to an elevated risk to cyber-security dangers, such as malicious attacks or electronic data loss,鈥� the Department of Homeland Security鈥檚 Industrial Control System Computer Emergency Readiness Team wrote in a March 10 alert to industrial users.

鈥淥rganizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements,鈥� the alert also warns. Even so, some of those affected by federal regulations in the electric utility and chemical industries will undoubtedly seek exemptions to the rules, some experts say.

鈥淵es, this is a big deal, a serious threat, but a lot of our industrial clients have had only a very lackadaisical response,鈥� says Jonathan Pollet, founder of Red Tiger Security, an industrial control system (ICS) security company. 鈥淭hey tell me: 鈥楬ey, this computer has been running XP for years. It鈥檚 not going anywhere and we鈥檙e not upgrading it anytime soon. We鈥檝e got high firewalls to protect us.鈥� They just don鈥檛 feel like it鈥檚 a big issue. But they鈥檙e wrong.鈥�

Nobody knows just how widespread WinXP is through critical infrastructure industries worldwide, but there鈥檚 a lot out there. Mr. Pollet estimates that about half of his clients are still running vital systems on an operating system that now has a bulls eye painted on it by cyber-spies, criminals, and warriors worldwide.

鈥淭he main issue with XP is that basically it鈥檚 in a forever-vulnerable state now 鈥� no patches,鈥� Pollet adds. 鈥淭he exploits, all those attack profiles, are going to be effective and work 100 percent of the time.鈥�

Others say the demise of WinXP, which has been dubbed tongue-only-slightly-in-cheek as the 鈥淴Pocalypse,鈥� does not matter that much. But that鈥檚 only because losing the ability to patch systems that were not being patched anyway does really not increase the security threat, they say.

Dale Peterson, founder and CEO of Digital Bond, an industrial control systems security company in Sunrise, Fla., calls many news reports and worries about WinXP鈥檚 impact on industrial control systems 鈥渨ildly overblown.鈥�

But that鈥檚 mostly because so little patching of vulnerable WinXP systems was going on before Microsoft pulled the plug, he writes in his blog.

鈥淚t doesn鈥檛 matter if security patches exist or not if you are not going to apply them even as infrequently as annually,鈥� Mr. Peterson writes. 鈥淭he fact that Microsoft is not issuing patches doesn鈥檛 change their security posture one bit.鈥�

In fact, some critical infrastructure asset owners 鈥渟ecretly are happy鈥� about this because they now have an excuse why they can鈥檛 patch. Yet that just underscores how vulnerable the nation鈥檚 critical infrastructure already is, he notes.

鈥淥wner/operators need to come to grips with the fact they are running mission critical鈥� industrial control system networks, Peterson writes.

Much of the problem stems from the fact that patching industrial systems is difficult and costly 鈥� and sometimes just isn鈥檛 possible. With the end of XP updates, many industrial control system software vendors also may not even offer upgrades to enable vital software to work with higher, more secure Windows 7 or 8. Or, if they do, vendors often want to charge millions to upgrade software across the board, Pollet says.

While that鈥檚 not a deterrent for large companies with significant budgets, smaller companies face a range of difficult options, including vendors still selling vulnerable software based on XP, says Adam Crain, a partner in Automatak, a security-focused ICS developer in Raleigh, N.C.

鈥淚 don鈥檛 think XP鈥檚 demise changes our risk, because we already had a high level of risk because of the patching situation,鈥� he says. 鈥淲e aren鈥檛 seeing a lot of attacks yet mainly because there isn鈥檛 a financial motivation for that yet. I don鈥檛 see it significantly elevating the risk because of all the other things we鈥檙e not doing.鈥�

Sean McBride, director of analysis, for Critical Intelligence, an Idaho Falls firm that tracks industrial control threats, says his firm has seen an increase in overall ICS malware threats, with 11 actual attacks on ICS companies last year 鈥� many of those energy companies 鈥� and 15 additional attacks that could affect such systems.

鈥淲e know adversaries are interested in industrial control systems, and the fact they鈥檙e vulnerable, unpatched and no longer supported operating system 鈥� that doesn鈥檛 bode well,鈥� he says.