Application Security
4/10/2014
06:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Windows XP Alive & Well in ICS/SCADA Networks

End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.

Microsoft may have officially retired its Windows XP operating system this week, but that doesn't mean power plants and other critical infrastructure networks are dropping the now-unpatchable OS.

While there is no official public data on the number of XP systems running in ICS/SCADA environments, experts in that area say it's well represented, as are even older versions of Windows. Running insecure OSs may seem counterintuitive in such sensitive environments as power, gas, and oil industry networks, but it's a matter of priority: Patching remains rare in these networks for practical reasons, experts say.

The no-patch mentality is a cultural one for the ICS/SCADA world that goes beyond Windows XP: Safety and uninterrupted operations trump cyber security in those environments, and many of these systems never get the latest software updates for that reason.  

Overall, somewhere between 10 to 20 percent of organizations today actually install patches that their SCADA vendors are releasing, according to SCADA security experts. Utilities and ICS organizations face risks of power shutdowns if a newly patched system goes awry. Patching workstations and servers is less dicey than a factory-floor or power-generation system, and those systems are more likely to get patched than plant-floor systems, because they have shorter life spans and less direct impact on operations.

Billy Rios, director of threat intelligence at Qualys, who has tested various ICS/SCADA and other embedded devices for security flaws, says the HMI (human-machine interface) and other applications atop XP in these process environments are more vulnerable than XP. "They really don't patch, anyway," Rios says. "And even if they did update, it's the software that's on top that's most vulnerable. The HMI software to run power plants and oil refineries is so riddled with bugs... it doesn't matter what OS it's running."

Many of these plant networks have controllers and other devices running Windows XP Embedded, a stripped-down version of the OS for specialized devices, which was not cut off by Microsoft this week as the full XP OS was, Rios notes.

"When you have a backdoor password in the HMI, it doesn't matter what OS you run. Someone can log in, regardless. You could upgrade to Windows 8 and still have problems."

Dale Peterson, CEO of Digital Bond, an ICS/SCADA consultancy, says XP worries really don't apply to the ICS/SCADA environment. "There's a high correlation when we go into a site and start scanning and see they have XP systems. We see very little patching going on, and they may or may not have patched since they installed it," he says. "Those people can't be up in arms about Microsoft not supporting XP [anymore]. They'd rather not deal with the issue."

In a recent blog post, Peterson said:

It doesn’t matter if security patches exist or not if you are not going to apply them even as infrequently as annually. The fact that Microsoft is not issuing patches doesn’t change their security posture one bit. In fact, some secretly are happy about this because they now have an excuse why they can't patch.

That doesn't mean all ICS/SCADA operators don't care about patching. The more security-aware ones are finding ways to update software where they can, and to ensure the update doesn't break their applications, according to Peterson. "You can't do an upgrade of an OS without testing that your key applications support it. It's really basic IT practices that they need to adopt. I'm really glad XP [end-of-life] happened. It made a lot of people who care about this think through those issues."

Paul Asadoorian, product evangelist for Tenable Network Security, says while the threat to these XP systems indeed is there, power plant operators prefer to add more monitoring or other defenses to watch for malware and attacks than to change out software. "[Much] of this industry has put in appropriate protections," Asadoorian says. "They are hesitant to [patch] because these devices are controlling valves in nuclear plants and water plants."

So, instead, they tend to monitor for malware, and, increasingly, some are looking at whitelisting technology as well as specialized firewalls and gateways.

Asadoorian says he once pointed out malware to an ICS workstation, and the operator shrugged it off. "'I push this button and the valve opens either way," the plant operator told Asadoorian.  Says Rios of the exchange: "It was very clear that the priority was for the system to operate even if it has malware."

These plants tend to focus more on physical security and firewalls or unidirectional gateways to cordon off critical systems. "The truth is they have soft interiors," says Andrew Ginter, vice president of industrial security at Waterfall Security. "And every change is a threat to safety and reliability... So change is very slow, and that's why see still see XP hanging around. It's trusted and understood."

Ginter says most XP implementations are in PLCs, RTUs, and concentrators. "It might be true of XP that the vendor has stripped it down so it's smaller and easier to manage. That's not the same as desktop XP," he says. "But it's still XP and still under the same vulnerabilities."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/18/2014 | 11:21:26 PM
compensating measures
From what I have been told is that for many the focus is on "compensating measures" such as firewalls and physical security. Truth is, they have been dealing with this type of issue for years. It's not uncommon to find Windows 2000 and even NT. The mindset is to measure the ROI on devices (turbines etc) in decades, so as long as the OS works for what they need it for, it doesn't get upgraded. Also there are probably many cases where software designed for an older piece of equipment may not run on Windows 8 and only work on XP.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/11/2014 | 10:23:35 PM
Safeguards of XP
What safeguards are being taken to ensure that the systems are not being exploited other than the firewall mentioned in the article? Do they even call out to the internet or are they there own private entity off the wire?
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report