Let me give you a real world anecdote to provide a little context about my comment to Kelly Jackson Higgins over at Dark Reading that the Windows XP end of life was in many ways a positive experience for ICS organizations that care about security.
Last month I had a conversation with security conscious client who was forced by corporate policy to upgrade their engineering laptops from XP to Windows 7 prior to XP’s end of life. These were the laptops that had the PLC and other programming tools on them to troubleshoot and update logic/programs and other devices at field sites in a SCADA system. They followed the corporate edict and updated the OS. And some of these software tools stopped working.
The story continues, they had to go back to the software tool vendors and upgrade or load a newer version of the application tool that was supported on Windows 7. Now I would like to say the right lesson was learned, but we were not there yet. The wrong lesson the engineers initially took away was it was dangerous to update an OS on ICS workstations and servers, and it should not be done.
However, once we started to have a discussion on how they approached this upgrade and how they approached physical system upgrades at the field site they started to identify and internalize the right lessons. They consider the impact of other engineering changes to the field sites, and perform the appropriate research, testing, outage (if necessary), recovery, etc. In this case they did not check with the tool vendors, who had very clear documentation on their sites on the versions that were compatible with Windows 7. There is nothing ICS unique about verifying application and OS compatibility.
This was one of the many conversations I had with asset owners dealing with the move from XP to Windows 7. There were a number of other lessons learned in processes, vendor selection, budgeting and other areas.
Starting in the 90’s the ICS community bought into the myth that we could have mission critical IT networks that did not require any time or expense to maintain. XP end of life was a great example that asset owners need to plan for periodic upgrades of operating systems and applications.
I think the best treatment of ICS security through basic engineering practices is Ralph Langner’s Robust Control System Networks.
Image by Bruce Turner