Application Security
06:05 PM
Connect Directly

Windows XP Alive & Well in ICS/SCADA Networks

End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.

Microsoft may have officially retired its Windows XP operating system this week, but that doesn't mean power plants and other critical infrastructure networks are dropping the now-unpatchable OS.

While there is no official public data on the number of XP systems running in ICS/SCADA environments, experts in that area say it's well represented, as are even older versions of Windows. Running insecure OSs may seem counterintuitive in such sensitive environments as power, gas, and oil industry networks, but it's a matter of priority: Patching remains rare in these networks for practical reasons, experts say.

The no-patch mentality is a cultural one for the ICS/SCADA world that goes beyond Windows XP: Safety and uninterrupted operations trump cyber security in those environments, and many of these systems never get the latest software updates for that reason.  

Overall, somewhere between 10 to 20 percent of organizations today actually install patches that their SCADA vendors are releasing, according to SCADA security experts. Utilities and ICS organizations face risks of power shutdowns if a newly patched system goes awry. Patching workstations and servers is less dicey than a factory-floor or power-generation system, and those systems are more likely to get patched than plant-floor systems, because they have shorter life spans and less direct impact on operations.

Billy Rios, director of threat intelligence at Qualys, who has tested various ICS/SCADA and other embedded devices for security flaws, says the HMI (human-machine interface) and other applications atop XP in these process environments are more vulnerable than XP. "They really don't patch, anyway," Rios says. "And even if they did update, it's the software that's on top that's most vulnerable. The HMI software to run power plants and oil refineries is so riddled with bugs... it doesn't matter what OS it's running."

Many of these plant networks have controllers and other devices running Windows XP Embedded, a stripped-down version of the OS for specialized devices, which was not cut off by Microsoft this week as the full XP OS was, Rios notes.

"When you have a backdoor password in the HMI, it doesn't matter what OS you run. Someone can log in, regardless. You could upgrade to Windows 8 and still have problems."

Dale Peterson, CEO of Digital Bond, an ICS/SCADA consultancy, says XP worries really don't apply to the ICS/SCADA environment. "There's a high correlation when we go into a site and start scanning and see they have XP systems. We see very little patching going on, and they may or may not have patched since they installed it," he says. "Those people can't be up in arms about Microsoft not supporting XP [anymore]. They'd rather not deal with the issue."

In a recent blog post, Peterson said:

It doesn’t matter if security patches exist or not if you are not going to apply them even as infrequently as annually. The fact that Microsoft is not issuing patches doesn’t change their security posture one bit. In fact, some secretly are happy about this because they now have an excuse why they can't patch.

That doesn't mean all ICS/SCADA operators don't care about patching. The more security-aware ones are finding ways to update software where they can, and to ensure the update doesn't break their applications, according to Peterson. "You can't do an upgrade of an OS without testing that your key applications support it. It's really basic IT practices that they need to adopt. I'm really glad XP [end-of-life] happened. It made a lot of people who care about this think through those issues."

Paul Asadoorian, product evangelist for Tenable Network Security, says while the threat to these XP systems indeed is there, power plant operators prefer to add more monitoring or other defenses to watch for malware and attacks than to change out software. "[Much] of this industry has put in appropriate protections," Asadoorian says. "They are hesitant to [patch] because these devices are controlling valves in nuclear plants and water plants."

So, instead, they tend to monitor for malware, and, increasingly, some are looking at whitelisting technology as well as specialized firewalls and gateways.

Asadoorian says he once pointed out malware to an ICS workstation, and the operator shrugged it off. "'I push this button and the valve opens either way," the plant operator told Asadoorian.  Says Rios of the exchange: "It was very clear that the priority was for the system to operate even if it has malware."

These plants tend to focus more on physical security and firewalls or unidirectional gateways to cordon off critical systems. "The truth is they have soft interiors," says Andrew Ginter, vice president of industrial security at Waterfall Security. "And every change is a threat to safety and reliability... So change is very slow, and that's why see still see XP hanging around. It's trusted and understood."

Ginter says most XP implementations are in PLCs, RTUs, and concentrators. "It might be true of XP that the vendor has stripped it down so it's smaller and easier to manage. That's not the same as desktop XP," he says. "But it's still XP and still under the same vulnerabilities."

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/18/2014 | 11:21:26 PM
compensating measures
From what I have been told is that for many the focus is on "compensating measures" such as firewalls and physical security. Truth is, they have been dealing with this type of issue for years. It's not uncommon to find Windows 2000 and even NT. The mindset is to measure the ROI on devices (turbines etc) in decades, so as long as the OS works for what they need it for, it doesn't get upgraded. Also there are probably many cases where software designed for an older piece of equipment may not run on Windows 8 and only work on XP.
User Rank: Ninja
4/11/2014 | 10:23:35 PM
Safeguards of XP
What safeguards are being taken to ensure that the systems are not being exploited other than the firewall mentioned in the article? Do they even call out to the internet or are they there own private entity off the wire?
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.