A new cybersecurity report is warning of "broken Windows" in some of the most sensitive computer systems worldwide.
Nearly two-thirds of the 1,821 industrial control systems and "internet of things" networks surveyed by Boston-based cybersecurity firm CyberX were using outdated operating systems like Windows XP or even Windows 2000, according to findings released Tuesday.
Those older versions of Windows no longer receive routine security support, meaning any vulnerability found in them will likely never be fixed. That's a problem in manufacturing plants, chemical facilities and offshore oil platforms where hackers who wrest control of certain systems could — in worst-case scenarios — put lives at risk.
But that's getting ahead of things. Even if a site uses outdated software, some faraway hackers wouldn't be able to waltz in there and wreak havoc without first finding a pathway in through the internet. The most crucial industrial control networks — such as those responsible for managing parts of the U.S. transmission grid — are kept strictly isolated or "air gapped" from the public internet.
That's the story on paper, at least. While CyberX did give credit to oil and gas companies and electric utilities for faring better overall on security compared with other sectors like pharmaceuticals, the report found that more than a quarter of sites analyzed still had some sort of direct exposure to the internet.
CyberX's findings aren't likely to surprise system administrators who know how technically daunting it can be to plaster over every risky conduit to the outside world, with all its cat videos and sketchy World Series livestreams. They also know how costly it can be to spruce up an organization's entire fleet of computers — particularly if those machines are embedded deep inside industrial environments that can't be switched off for upgrades on a whim.
CyberX sympathizes. The report notes that it is "complex and disruptive — and sometimes impossible" to transition to newer versions of Windows or other operating systems that still get security updates.
Add all that up, and the state of play in industrial cybersecurity seems unlikely to change anytime soon.
— Blake Sobczak
Bits and bytes
If a major U.S. power utility can't hit back at grid hackers, "who can?" asks Southern Co. CEO Tom Fanning. E&E News
EPA's internal watchdog warns that management lapses could expose the agency to cyberattacks that could disrupt operations or leak sensitive data. E&E News
Encrypted phone maker MPC has a whole lot more going on behind the scenes and has made some "extremely violent" business connections, sources tell Vice News. Motherboard
Congressional Republicans stormed a secure room on Capitol Hill to make a point about the impeachment inquiry into President Trump, drawing ire from cybersecurity experts. Washington Post
Nearly 250 documented ransomware attacks have roiled governments in U.S. states ranging from Washington to Florida, and now you can see all the big ones dating back to 2013. StateScoop