Windows XP in automation – time for action
Networked automation components with Microsoft Windows operating systems are widely used. Like PCs in office networks they are at risk of known and new Windows security vulnerabilities which are continually being discovered and exploited. Microsoft does assure at least five years of mainstream support and an additional five years of extended support for its business operating system products at current service pack level, during which time security updates are provided. The lifetime of industrial machinery and equipment, however, is often 15, 20, or even more years of operation.
IPCs and embedded components with Microsoft Windows operation systems are widely used in industrial automation.
Following Windows 2000 which reached the end of its support lifecycle in July 2010 and more than 12 years after its initial release, the extended support for Windows XP will finally expire in April 2014. Whether for formal IT security guidelines or plain sanity and care: if you are restricting connectivity to your production network to systems with state-of-the-art security this event puts you on the spot.
What is going to happen after 12 years anyway?
A lot! Proceeding with business as usual while keeping both eyes firmly shut is not a recommended course of action as can be seen from a few statistics. In 2012, Microsoft issued 39 security updates relevant for Windows XP SP3, including 25 with the highest classification of “critical” and another 14 at the next level of “important”. Then from January to early July of 2013 alone, Microsoft released another 31 security updates for the system, 18 of them classified as “critical” and 13 as “important”! Most of the security vulnerabilities addressed with these updates can be exploited by attackers for unauthorized elevation of privileges or an execution of remote code on unprotected systems.
Also, in every month of January to June 2013 one up to four additional breeds of malware have been dealt with by new versions of the Microsoft Windows Malicious Software Removal Tool distributed with the other monthly system updates. These included multiple backdoor Trojans such as Win32/Phdet or Win32/Nitol that can be used by attackers to control infected systems through these backdoors, to start Distributed Denial-of-Service (DDoS) attacks against further targets, to deactivate and remove security components, to command the download and execution of arbitrary files, or to spy on sensitive information. So what should be done?
A screen you will not see much longer anymore: the extended support for Windows XP expires in April 2014.
Expensive upgrades
An obvious solution is the upgrade to a newer operating system with current support for the next couple of years. Such upgrades, however, are costly, time- and effort-intensive, and risky. New licenses need to be purchased, and new software installed. And as new versions of Windows tend to be ever hungrier for resources, they often require hardware upgrades or even the acquisition of new hardware as well. That is when the dreaded unanticipated consequences begin to occur, involving considerable extra work and expense, e.g., for purchasing or porting the application software for the new platform. In some industries, automated manufacturing processes require certified systems and the reiteration of an expensive approval process after any change or upgrade of their components. And who wants to take on the responsibility of triggering that cost avalanche when it is very difficult to calculate the potential security risks and the risks of unforeseen glitches that can affect production? Is there no alternative, more efficient solution? Yes, there is one.
Protection by retrofitting of distributed security appliances
What virtually all of the security risks discussed here share in common is that they are based on weaknesses and vulnerabilities of network protocols and services. Attackers and malware exploit these weaknesses over an IP-based network to gain access to data, system control, and opportunities for damage and proliferation. If security updates are no longer available to cure the “diseases” from newly discovered vulnerabilities, the option remaining is to strongly reduce the risk of the old system to be infected by restricting its communication to the network nodes, protocols, ports, and directions of connection initiation required for the functional operation of the overall plant equipment. Incoming connections from the outside, not initiated by the system itself can usually be blocked to a large extent. And even inside-out connections do not have to be generally allowed, e.g., access to arbitrary file servers on the corporate network let alone to the public Internet which can and should typically be blocked.
It is the purpose of firewalls to control and selectively filter the originally unrestricted communications on Ethernet and IP-based networks. In the form of industrial network security appliances, firewalls can be retrofitted in a distributed and cost efficient way to exactly where they are needed for the reasons discussed here. A complete portfolio of such devices based on the mGuard technology from Innominate is available in various form factors for mounting on rails in cabinets, in 19-inch racks, externally connected to PCs with USB power supply, or as PCI cards right inside an IPC housing.
One particular highlight: thanks to their patented “stealth mode” of operation, these devices can be retrofitted to existing networks in a completely transparent manner. In this mode, the devices automatically assume the MAC and IP address of the respective system they protect, such that no additional addresses are needed to manage the devices themselves and not a single change has to be made to the network configuration. Despite this transparent operation in terms of IP routing, the devices are monitoring and filtering network traffic to and from the protected systems as stateful packet inspection firewalls according to a configurable rule set. No perceptible bottlenecks will be added to a 100 Mbit/s Fast Ethernet network thanks to the bi-directional “wire speed” capability of these firewalls.
Cost-efficient network security can transparently be retrofitted to non-patchable Windows systems in industrial applications with mGuard security appliances in a variety of form factors.
The mGuard security appliances can be efficiently deployed to the field with a flexible flash and roll-out procedure and be managed both one-by-one through their Web-based user interface as well as centrally for large groups of devices through the mGuard Device Manager software.
If required, additional available features can further enhance the security of networked equipment. Configuration of specific user firewall rules can restrict the type and duration of access to authorized individuals, who may login and authenticate themselves from varying locations, PCs, and IP addresses. Virtual Private Network (VPN) functions provide for secure authentication of remote stations and the encryption of data traffic. And the unique mGuard Integrity Monitoring functionality can reliably detect unexpected modifications of Windows file systems such as the infection of executable code by malware, thus providing an industry-suitable alternative to conventional anti-virus software.
Using this protective concept, customers in a variety of industries have already had excellent results providing security to older production equipment running systems from Windows 95 to Windows 2000 for many years beyond their support lifecycle. Furthermore, even many embedded PCs which are classified as non-patchable from day one of their lifecycle due to certifications, warranty claims, or concerns about update-related disruptions can benefit from enhanced security following the same principle long before the support of their operating system expires.
Conclusion
Operating industrial Windows XP systems and applications securely beyond April 2014 is a challenge requiring time for analysis, selection, planning, and execution of a preferred solution, deployment of security appliances being a good candidate. Hence, now is the time to start the action. And just in case you might want to mark your calendars: the extended support for Windows XP Embedded will expire in January 2016.
About the author
Torsten Roessel is Chief Marketing Officer at Innominate Security Technologies AG – www.innominate.com – He can be reached at troessel@innominate.com