Microsoft may have officially retired its Windows XP operating system this week, but that doesn't mean power plants and other critical infrastructure networks are dropping the now-unpatchable OS.
While there is no official public data on the number of XP systems running in ICS/SCADA environments, experts in that area say it's well represented, as are even older versions of Windows. Running insecure OSs may seem counterintuitive in such sensitive environments as power, gas, and oil industry networks, but it's a matter of priority: Patching remains rare in these networks for practical reasons, experts say.
The no-patch mentality is a cultural one for the ICS/SCADA world that goes beyond Windows XP: Safety and uninterrupted operations trump cyber security in those environments, and many of these systems never get the latest software updates for that reason.
Overall, somewhere between 10 to 20 percent of organizations today actually install patches that their SCADA vendors are releasing, according to SCADA security experts. Utilities and ICS organizations face risks of power shutdowns if a newly patched system goes awry. Patching workstations and servers is less dicey than a factory-floor or power-generation system, and those systems are more likely to get patched than plant-floor systems, because they have shorter life spans and less direct impact on operations.
Billy Rios, director of threat intelligence at Qualys, who has tested various ICS/SCADA and other embedded devices for security flaws, says the HMI (human-machine interface) and other applications atop XP in these process environments are more vulnerable than XP. "They really don't patch, anyway," Rios says. "And even if they did update, it's the software that's on top that's most vulnerable. The HMI software to run power plants and oil refineries is so riddled with bugs... it doesn't matter what OS it's running."
Many of these plant networks have controllers and other devices running Windows XP Embedded, a stripped-down version of the OS for specialized devices, which was not cut off by Microsoft this week as the full XP OS was, Rios notes.
"When you have a backdoor password in the HMI, it doesn't matter what OS you run. Someone can log in, regardless. You could upgrade to Windows 8 and still have problems."
Dale Peterson, CEO of Digital Bond, an ICS/SCADA consultancy, says XP worries really don't apply to the ICS/SCADA environment. "There's a high correlation when we go into a site and start scanning and see they have XP systems. We see very little patching going on, and they may or may not have patched since they installed it," he says. "Those people can't be up in arms about Microsoft not supporting XP [anymore]. They'd rather not deal with the issue."
In a recent blog post, Peterson said:
It doesn’t matter if security patches exist or not if you are not going to apply them even as infrequently as annually. The fact that Microsoft is not issuing patches doesn’t change their security posture one bit. In fact, some secretly are happy about this because they now have an excuse why they can't patch.
That doesn't mean all ICS/SCADA operators don't care about patching. The more security-aware ones are finding ways to update software where they can, and to ensure the update doesn't break their applications, according to Peterson. "You can't do an upgrade of an OS without testing that your key applications support it. It's really basic IT practices that they need to adopt. I'm really glad XP [end-of-life] happened. It made a lot of people who care about this think through those issues."
Paul Asadoorian, product evangelist for Tenable Network Security, says while the threat to these XP systems indeed is there, power plant operators prefer to add more monitoring or other defenses to watch for malware and attacks than to change out software. "[Much] of this industry has put in appropriate protections," Asadoorian says. "They are hesitant to [patch] because these devices are controlling valves in nuclear plants and water plants."
So, instead, they tend to monitor for malware, and, increasingly, some are looking at whitelisting technology as well as specialized firewalls and gateways.
Asadoorian says he once pointed out malware to an ICS workstation, and the operator shrugged it off. "'I push this button and the valve opens either way," the plant operator told Asadoorian. Says Rios of the exchange: "It was very clear that the priority was for the system to operate even if it has malware."
These plants tend to focus more on physical security and firewalls or unidirectional gateways to cordon off critical systems. "The truth is they have soft interiors," says Andrew Ginter, vice president of industrial security at Waterfall Security. "And every change is a threat to safety and reliability... So change is very slow, and that's why see still see XP hanging around. It's trusted and understood."
Ginter says most XP implementations are in PLCs, RTUs, and concentrators. "It might be true of XP that the vendor has stripped it down so it's smaller and easier to manage. That's not the same as desktop XP," he says. "But it's still XP and still under the same vulnerabilities."