Upgrading Windows XP – Mitigate the Vulnerabilities Immediately Using an Industrial Firewall – Part 2

Author Mike Miclot

On the eve of April 8, Microsoft retired support for the Windows XP operating system (OS) – leaving millions of Windows XP users susceptible to accidental and deliberate security issues. Though the retirement had been long planned and with fair warning, industrial network users are just beginning to comprehend the ramifications.

And it’s not that Windows XP will no longer work – it’s that Microsoft will no longer provide patches, security updates or infrastructure support, leaving industrial networks vulnerable to production disruptions and system downtime.

Even more concerning? Windows XP is the most popular OS for industrial users. It can be found in ruggedized PCs performing mission-critical tasks, such as control, safety and asset management, as well as embedded in thousands of devices used in factory automation and process control operations.

Those responsible for protecting critical industrial processes and networks are left with few options. And a system upgrade isn’t as simple as it may seem – one upgrade can trigger a lengthy "domino effect."

Upgrading to a new operating system triggers a domino effect of new hardware and equipment purchases, new driver installations, system integration work, testing, training and lost operational productivity.

What is the "Domino Effect?"

Ultimately, upgrading to a new version of Windows will be necessary, but it’s not a quick project.

An upgrade will come with a long list of strings attached. It means migrating from an operating system that includes a variety of applications, hardware and software programs. And upgrading isn’t a one size fits all solution – it requires time, hefty costs, and risk associated with network downtime and operational productivity.

The "domino effect" triggered by an OS upgrade involves a number of steps, including:

  • Upgrading the operating system
  • Purchasing and installing:
    • New PC hardware and/or automation devices
    • New software for the new equipment
    • New communication drivers for the new software
  • Ensuring automation devices work with the new software and drivers
  • Conducting system integration work (since the mission-critical applications on your network may behave differently)
  • Deploying modified applications
  • Performing extensive testing on the new systems
  • Executing user training and support for the new systems

Now, imagine completing that process for every Windows XP install you have, and you can see how a “simple” OS upgrade can take several man years of effort.

To upgrade just 1 computer running Windows XP to a new OS necessitates many other updates that then require testing and validation before being put into operation.

Update on Your Own Schedule: Enforce Industrial Firewalls

Not everyone is ready to change the way they operate. For those who prefer to continue running on Windows XP – and tackle the upgrade of their OS on their own time – employing industrial firewalls is an immediate solution for protecting Windows XP-based systems.

Applying industrial firewalls to your network:

  • Is a simple installation that can be configured quickly
  • Requires minimal staff time, training and support requirements
  • Does not involve upgrading or replacing other systems and is designed for all industrial environments
  • Is cost effective
  • Provides the option to create your own timeline for migrating away from Windows XP

There is no "domino effect" for enforcing industrial firewalls – essentially offering immediate peace-of-mind while securing your network from potential security incidents – from internal accidents to cyberattacks.

A comparison of options for securing industrial applications after the Windows XP EOS.

 

What are your thoughts on the best way to deal with the EOS for Windows XP? I look forward to hearing from you.

Related Content to Download

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Microsoft and Windows are registered trademarks of Microsoft Corporation in the United States and other countries.

Comments

2

Can you say more about how an industrial firewall protects these Windows XP systems that are now unpatched?

Hi Darrell
 
Excellent question. Let me start by making it clear that a firewall can't actually patch the XP computer. Instead what it does is reduce the "attack surface". This then reduces the risks caused by being unable to patch.
 
Let me give you an example. For an experiment I just port scanned an XP computer in our lab that we use as a test HMI. I found 6 ports open and listening for incoming TCP connections (if anyone is curious they were ports 80, 135, 139, 443, 445 and 554). Honestly I don't know if these ports are really needed by the HMI software or not, but each represents a listening service or application on the PC. And the fact they are open means that an attacker or malware scanning this computer has 6 different opportunities to attempt to take advantage of a possible vulnerable service. 
 
Those are just the listening ports. I also found a number of applications on the PC that open outbound TCP and UDP sessions. An obvious one is Internet Explorer (IE). I suspect we don't need it on our lab HMI, but no one bothered to disable it, so its ready and waiting for someone to use it to connect to the outside world. Now someone in the lab might accidentally use IE to browse a compromised web site. And that web site could be designed to take advantage of copies of IE that are not patched for the Microsoft XML Core Services vulnerability announced in February (MS14-005). Then we have a problem...
 
In this particular case there is a patch available. But soon there won't be unless I want to spend a lot of money and purchase Microsoft's custom support option. There is also lots I could do to harden this XP machine, such as disable IE or find out why those ports are open and close them if they are not needed. If they are needed I could use the Windows Firewall to restrict the IP addresses of computers that can access those open ports. The trouble is, this is a lot of work, I suspect my lab team will never bother. 
 
So an alternative is to install an industrial firewall to harden the computer and reduce the attack surface. I could start by blocking all HTTP, both in bound and out bound from all XP computers in the lab. If the firewall was a Tofino or a Hirschmann product I could use the Test or Learning modes to figure out what other devices and services need to communicate with this XP computer then automatically generate the rules to allow that and block everything else. And if it was a Tofino Firewall, I could potentially add 'Special Rules' to detect and block attempts to exploit a known vulnerability. All of these would reduce the attack surface and make exploiting this XP computer just that much harder. 

Add new comment