What the end of Windows XP support means for industrial cybersecurity

We are now in the final month of Microsoft offering support for its Windows XP operating system, which presents a new security challenge for the great many control systems still running XP. Without support, XP control systems will not receive regular security updates, making them susceptible to cyberattacks. Control systems running older versions of XP will of course be no less secure than they already are.

This shouldn’t be news to any utilities using Windows XP, as Microsoft is pretty transparent about the Windows lifecycle. (Set your calendars now for April 11, 2017, Windows Vista users, however few of you are.) Despite knowing that support is ending, laggards among control system vendors are still shipping new products on Windows XP, demonstrating an “if it ain’t broke, don’t fix it” attitude. Well, Windows XP is now officially broken.

Utilities aren’t exactly early adopters when it comes to new operating systems — and with good reason. With every new operating system comes a host of bugs and glitches that put reliability-critical and safety-critical systems at risk. When Windows 8 was released, the control system world watched and learned as corporate information technology (IT) teams struggled with it while the kinks were ironed out. Only once a technology is proven and the reliability risks well-understood do we start seeing industrial customers begin to deploy the technology. This shaves at least a few years off the lifespan of operating systems in the industrial world compared with the corporate world.

This has long been a problem with no simple solution and reflects a larger debate surrounding the issue. Upgrading an industrial control system to the latest operating system is generally impossible, as the old version of software generally does not run the same (or run at all) on a new operating system. Regularly upgrading to new versions of control system software is often cost-prohibitive, due to the resources needed to test a change that big. The testing cost of installing regular security updates at all is prohibitive in complex environments with serious safety and reliability concerns.

For the foreseeable future, and very possibly indefinitely, a great many control systems will continue to suffer from a very “soft interior” security-wise. Compensating measures in the form of strong physical security perimeters and strong cybersecurity perimeters continue to be far more important in preventing attacks to control system networks than these measures are important to corporate IT networks. One compensating measure we see being deployed ever more widely is hardware-enforced Unidirectional Security Gateways, which allow business-critical industrial data to flow in one direction out of a protected network, without any chance of an attack getting back in through the equipment.

The day is upon us. If our control system has a soft interior, we had better put a hard shell around that interior if we want to stay safe.

Read more about how Unidirectional Security Gateways can protect critical infrastructures.    

Desperately Seeking SCADA

Shodan, “the scariest search engine on the Internet,” was back in the news this month with the launch of Shodan Maps. For those unfamiliar, Shodan tracks devices that are connected to the Internet, including SCADA and industrial control systems (ICS). Now, instead of just identifying these systems, searchers can see where they’re located. This is troubling, as it gives our adversaries physical directions to what appear to be poorly defended critical infrastructure systems. 

Fortunately, Shodan isn’t designed for your average Googler. Those who are capable of carrying out a large-scale cyberattack against critical infrastructure sites, though, will have the technological knowhow to navigate the search engine. Researchers with Project SHINE have identified more than 1 million IP addresses globally that are potentially associated with SCADA and ICS devices. However, at the recent Public Safety Canada ICS Security Workshop, it was reported that the DHS investigated the 500,000 American IP addresses SHINE reported, and found that only a little more than 7,000 were real control system equipment. While this is a small percentage of the original number, it is still a disturbing amount of equipment.

The issue remains: in a constantly connected universe, any system that is connected directly or indirectly to the Internet is vulnerable to attack. Large scale control systems recognize this and are buried behind layers of firewalls, but firewalls aren’t enough to defend against modern day cyberthreats. Firewall vulnerabilities are well known to anyone with a modest security background, and control systems connected to the Internet is a problem made worse by exposing them via search engine.

The best-defended control systems, such as those at every American nuclear plant and an even larger number of conventional power plants, have installed Unidirectional Security Gateways, a stronger-than-firewall technology that thoroughly protects control systems from Internet attacks, however indirect they are. That someone with average skills can locate Internet-exposed control systems should inspire any utility manager to improve defenses.

See how unidirectional security gateways can deliver true security.

Follow us on Twitter @WaterfallSecure.

Like us on Facebook.

Follow us on LinkedIn.