Application Security
4/10/2014
06:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Windows XP Alive & Well in ICS/SCADA Networks

End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception.

Microsoft may have officially retired its Windows XP operating system this week, but that doesn't mean power plants and other critical infrastructure networks are dropping the now-unpatchable OS.

While there is no official public data on the number of XP systems running in ICS/SCADA environments, experts in that area say it's well represented, as are even older versions of Windows. Running insecure OSs may seem counterintuitive in such sensitive environments as power, gas, and oil industry networks, but it's a matter of priority: Patching remains rare in these networks for practical reasons, experts say.

The no-patch mentality is a cultural one for the ICS/SCADA world that goes beyond Windows XP: Safety and uninterrupted operations trump cyber security in those environments, and many of these systems never get the latest software updates for that reason.  

Overall, somewhere between 10 to 20 percent of organizations today actually install patches that their SCADA vendors are releasing, according to SCADA security experts. Utilities and ICS organizations face risks of power shutdowns if a newly patched system goes awry. Patching workstations and servers is less dicey than a factory-floor or power-generation system, and those systems are more likely to get patched than plant-floor systems, because they have shorter life spans and less direct impact on operations.

Billy Rios, director of threat intelligence at Qualys, who has tested various ICS/SCADA and other embedded devices for security flaws, says the HMI (human-machine interface) and other applications atop XP in these process environments are more vulnerable than XP. "They really don't patch, anyway," Rios says. "And even if they did update, it's the software that's on top that's most vulnerable. The HMI software to run power plants and oil refineries is so riddled with bugs... it doesn't matter what OS it's running."

Many of these plant networks have controllers and other devices running Windows XP Embedded, a stripped-down version of the OS for specialized devices, which was not cut off by Microsoft this week as the full XP OS was, Rios notes.

"When you have a backdoor password in the HMI, it doesn't matter what OS you run. Someone can log in, regardless. You could upgrade to Windows 8 and still have problems."

Dale Peterson, CEO of Digital Bond, an ICS/SCADA consultancy, says XP worries really don't apply to the ICS/SCADA environment. "There's a high correlation when we go into a site and start scanning and see they have XP systems. We see very little patching going on, and they may or may not have patched since they installed it," he says. "Those people can't be up in arms about Microsoft not supporting XP [anymore]. They'd rather not deal with the issue."

In a recent blog post, Peterson said:

It doesn’t matter if security patches exist or not if you are not going to apply them even as infrequently as annually. The fact that Microsoft is not issuing patches doesn’t change their security posture one bit. In fact, some secretly are happy about this because they now have an excuse why they can't patch.

That doesn't mean all ICS/SCADA operators don't care about patching. The more security-aware ones are finding ways to update software where they can, and to ensure the update doesn't break their applications, according to Peterson. "You can't do an upgrade of an OS without testing that your key applications support it. It's really basic IT practices that they need to adopt. I'm really glad XP [end-of-life] happened. It made a lot of people who care about this think through those issues."

Paul Asadoorian, product evangelist for Tenable Network Security, says while the threat to these XP systems indeed is there, power plant operators prefer to add more monitoring or other defenses to watch for malware and attacks than to change out software. "[Much] of this industry has put in appropriate protections," Asadoorian says. "They are hesitant to [patch] because these devices are controlling valves in nuclear plants and water plants."

So, instead, they tend to monitor for malware, and, increasingly, some are looking at whitelisting technology as well as specialized firewalls and gateways.

Asadoorian says he once pointed out malware to an ICS workstation, and the operator shrugged it off. "'I push this button and the valve opens either way," the plant operator told Asadoorian.  Says Rios of the exchange: "It was very clear that the priority was for the system to operate even if it has malware."

These plants tend to focus more on physical security and firewalls or unidirectional gateways to cordon off critical systems. "The truth is they have soft interiors," says Andrew Ginter, vice president of industrial security at Waterfall Security. "And every change is a threat to safety and reliability... So change is very slow, and that's why see still see XP hanging around. It's trusted and understood."

Ginter says most XP implementations are in PLCs, RTUs, and concentrators. "It might be true of XP that the vendor has stripped it down so it's smaller and easier to manage. That's not the same as desktop XP," he says. "But it's still XP and still under the same vulnerabilities."

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
4/18/2014 | 11:21:26 PM
compensating measures
From what I have been told is that for many the focus is on "compensating measures" such as firewalls and physical security. Truth is, they have been dealing with this type of issue for years. It's not uncommon to find Windows 2000 and even NT. The mindset is to measure the ROI on devices (turbines etc) in decades, so as long as the OS works for what they need it for, it doesn't get upgraded. Also there are probably many cases where software designed for an older piece of equipment may not run on Windows 8 and only work on XP.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/11/2014 | 10:23:35 PM
Safeguards of XP
What safeguards are being taken to ensure that the systems are not being exploited other than the firewall mentioned in the article? Do they even call out to the internet or are they there own private entity off the wire?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio