All the fuss and tension over the security impact of Windows XP reaching its end of life next week is wildly overblown for the ICS community.
Yes there still are a lot of asset owners running Windows XP in their ICS environment. And yes, many of these asset owners are in critical infrastructure sectors. There is also a very high direct correlation between asset owners running critical infrastructure on XP and asset owners who are not applying security patches.
It doesn’t matter if security patches exist or not if you are not going to apply them even as infrequently as annually. The fact that Microsoft is not issuing patches doesn’t change their security posture one bit. In fact, some secretly are happy about this because they now have an excuse why they can’t patch.
Owner/operators need to come to grips with the fact they are running mission critical IT with ICS applications. Mission critical IT requires care and feeding and periodic upgrades. The days of install and don’t touch for decades has been gone for almost two decades now when the decision was made to move to Windows, Oracle, Ethernet, etc.
The security leaders in the ICS community, both asset owners and vendors have plans, and have implemented these plans, to address XP and other software obsolescence issues. They are well past the approach of install and don’t touch that leads to lurking fragility.
And it’s not as if the XP end of life snuck up on us.
Let’s talk a bit about Microsoft. It is entirely reasonable for Microsoft to end support for XP. It is a business decision by Microsoft. Owner/operators cannot on one hand point to cost and the bottom line on why they can’t improve security and then ask a vendor to sacrifice their profit.
It was ten years or so ago when Microsoft held the first Manufacturing User Group summit in Redmond. At the time the outcry from the audience was we want a manufacturing specific OS for HMI, EWS, and ICS servers, stripped down with only what was needed in ICS. Microsoft considered this, decided it was bad business, and passed on this new ICS OS. They have gone different directions with Server Core and other embedded solutions.
Over those ten years vendors have continued to develop applications that run on Windows workstation and server OS. Asset owners have bought these ICS applications. All with the full knowledge that Microsoft moves to new OS and eventually drops support for old OS. This is not a new development and should have been planned for a decade ago.
Microsoft provided ample warning of this end of life. Asset owners had years to plan to upgrade there current application to Windows 7, or move to a new application if the vendor is out of business or refuses to offer a version on a supported OS. The asset owner can choose not to, but this is not Microsoft’s problem. Yes it will cost the asset owner time and money, with time usually being the bigger issue, but again they should have a policy that they run supported software and they have many years of warning this was coming.