Tomorrow, Microsoft Corp. will carry out its well-advertised decision to cut back on cybersecurity support for its legacy Windows XP operating system, exposing an undisclosed number of electric utilities, chemical plants, energy facilities and other critical infrastructure in the United States and worldwide to new cybersecurity vulnerabilities, the company warns.
"I fully expect the malware infection rate for Windows XP to go up after April," said Tim Rains, director of Microsoft Trustworthy Computing, who authors a blog on cybersecurity.
Under Microsoft's new policy, it will no longer issue patches or fixes for cyber vulnerabilities for Windows XP after tomorrow. It did agree to continue issuing updated anti-malware "signatures" to enable users to block specific threats against XP through July 14, 2015. But that won't prevent attackers from designing new malicious software to exploit security gaps.
"What I think will happen is attackers will simply take the security updates for supported operating systems [such as Windows Vista or Windows 7] and they'll just reverse-engineer the security updates to figure out where the vulnerability is, and see if that's a vulnerability for XP. If it is, they'll try to write an exploit for it," Rains said at a recent cybersecurity conference.
Elaborating on the threat in a blog last year, Rains said, "Rather than actively targeting remote services, attackers now primarily focus on exploiting vulnerabilities in client applications such as Web browsers and document readers. In addition, attackers have refined their tools and techniques over the past decade to make them more effective at exploiting vulnerabilities.
"As a result, the security features that are built into Windows XP are no longer sufficient to defend against modern threats," he said.
"It's a big deal," said Adam Crain, who owns the cybersecurity testing firm Automatak.
"Think of a vulnerability in Windows like a compromised immune system. Think of an anti-malware signature like a vaccine, for a particular bug, but you still have a weak immune system. A slightly modified virus can just exploit the same unpatched weakness, and thus get around the vaccine. It's like treating the symptom, but not curing the disease."
Microsoft would not address questions about the number of U.S. industrial and energy systems controls that still use the 13-year-old XP software to manage devices that collect, move and translate data for plant and network operations. But several experts say the number of XP applications is substantial.
"From my person experience, XP is used extensively" in critical infrastructure and factory applications, said Andrew Ginter, the Calgary, Alberta-based vice president for industrial security at Waterfall Security Solutions, a cyberdefense vendor. "Generation, transmission distribution utilities, water treatment, chemical plants, refineries, gas pipelines, CO2 pipeline, you name it," he said.
Based on a 2012 survey by Bob Radvanovsky and Jake Brodsky of InfraCritical, a Department of Homeland Security defense team identified 7,200 devices in the United States accessible on the Internet that appeared to be directly connected to industrial control systems. XP is likely to be highly represented on this list, some experts say.
A decade or so ago, it would be unusual to find control system components running on Windows operating systems, Ginter said. Now, XP and other operating systems gather information from critical points on the power grid or in a factory or industrial complex, relaying them to control rooms where they are converted into commands to regulate processes. Inside control rooms, operators monitor conditions on screens that also run on Microsoft software.
Industry veteran Joel Langill, a consultant who authors the SCADAhacker blog and is a member of the Cyber Security Forum Initiative, says he believes a majority of industrial and energy systems are still using XP. "It's just within the past couple of years that vendors have started to release software that supports the new [Microsoft] operating systems," he said.
"My prediction is the problem will escalate rapidly at the end of this month," Langill said. "Microsoft has drawn their end date, and now the people in exploitation have powerful tools that they know Microsoft won't be able to block."
Other experts see a less dire impact. Dale Peterson, SCADA expert and CEO of the consulting firm Digital Bond, said the potential threat is serious. But he said, "Many of the security leaders in ICS [industrial control systems] have plans and have implemented these plans to address XP and other obsolescence issues.
"Yes, there still are a lot of asset owners running Windows XP in their ICS environment. And yes, some of these vendors are in the electric sector and other critical infrastructure sectors," he added.
"I think it is entirely reasonable for Microsoft to end support for XP, and I don't believe it will affect the security posture for most of the asset owners still running XP." Microsoft gave ample warning of its plans, time enough for users to upgrade to newer Windows options. If some chose not to, that was not Microsoft's fault, he said.
But the risk is there, he said. Companies "need to come to grips with the fact they are running mission-critical IT [information technology] with ICS applications," and that imposes a requirement to take product upgrades seriously, he said.
There are strong institutional pressures against making major upgrades or replacing entire software systems, Ginter said.
Candace Worley, senior vice president of Intel Security, said, "I am not at all surprised that XP continues to have a life of its own. I think that the probability that there will be a subset of systems still running that operating system in four or five years is fairly high," she added, speaking at an Intel-sponsored cybersecurity conference last week.
Moving to a new operating system "is a function of spending millions of dollars to rewrite proprietary software that runs on the system," she said.
Many companies stayed with XP and didn't even consider upgrading to newer Microsoft products because of the cost of upgrades and the risks that switching to new software could cause catastrophic system failures if the conversion backfired.
"When you've built a factory, if you have to change the operating system, you're shutting down the factory, so you're losing revenue; you're losing units, and it doesn't matter if you're manufacturing automobiles, semiconductors, candy bars, whatever the case may be. If it's an embedded system in the plant, you're affecting operations. ... That goes into the risk calculus," said Intel Vice President Malcolm Harkins.
"For every change that you want to make to an industrial network, the question is, 'How likely is it this change will kill anyone?" Ginter said. "How likely will this change be to put public safety at risk? How likely will this change cause an environmental catastrophe? The answer is never zero. Every change is a risk. You need the risk to be microscopically small."
"Most people won't do significant upgrades on operating systems for five to seven years because it's just too much of an impact on operations," Langill said.
But the cyberthreat has the potential to alter the risk-cost equation, if attackers break through.
"The asset owners can't say, 'My system is so critical to the region and our financials that it must run 24 by 7 by 365 and I should not have to maintain or upgrade my mission-critical IT system for 20 years,'" Peterson said. "The asset owners in this situation are not used to budgeting for the ongoing maintenance and support of a mission-critical IT and are actually fooling themselves about the robustness of the systems they are running. "
The threats can range from vulnerabilities in communications networks linking devices to control rooms to the rogue employee or the careless contractor who connects a thumb drive loaded with malware to an operating system.
Industry-led standards for protecting SCADA and ICS systems have centered on a vital defensive concept, Langill said -- the strategy of grouping vulnerable components into virtual zones and then building technology walls around the zones, while intensely monitoring what goes in and out.
"If I have a lot of devices I can't secure on their own, let's put them all together in a zone, and create closely watched communication conduits into the zone," Langill said. "You want to get more technology in front of the devices to prevent the malware from ever getting into the networks.
"That's going to be hard, because a lot of companies never thought about that," he added.
Like what you see?
We thought you might.
Request a trial now.