One significant milestone in operating system history occurred yesterday– the end of official support for Microsoft Windows XP. As with many in the industry, it got me to thinking of the implications for specific OT-centric industries. I spent over a decade in the electric utility business before becoming an analyst, so my attention naturally turned to my colleagues in that industry. There has been so much concern of late on the security of the “smart grid” (a catch-all phrase used by many in the media to actually denote the more complex web of services provided by the utility industry). I was recently approached by some within the business media community to comment on the milestone of the end of Windows XP support, particularly since there are a number of systems within the utilities that depend upon XP for some critical functions. Listed below are some of the observations and suggestions that I provided to them. I reproduce them here for your consideration as well. For those of you in other industries, I don’t think it would be hard to extrapolate some similar observations in light of how you use Windows XP as well in the industrial control and automation environments.
1- Utilities are more likely to be concerned not about the security or system management implications of the XP maintenance as much as they are about the implications on regulatory compliance. Most utilities fall under the NERC CIP (North American Electric Reliability Corporation – Critical Infrastructure Protection) guidelines, now in their fifth edition. Utilities are accustomed to providing rather detailed regulatory compliance audit reporting to prove compliance with the regulation. They are currently reviewing what this maintenance end may mean in interpreting areas related to change and configuration management. Many consulting firms and major vendors in the utility product/service markets are gearing up to aid the utilities in evaluating implications and taking steps to address them;
2- Windows XP isn’t the only back-dated operating system in use in utilities—there are a significant number of old and back-dated UNIX and Linux OS versions running in utilities throughout the world, though few of them have the presence or impact that Microsoft’s announcement has for XP users. The main point that I made in earlier notes to you is that the OS environments in operational technology (OT) for control and automation change much less often than in IT environments because of utility needs for high reliability, availability and safety. Ironically, patch management is often applied due to concerns either about system stability or vulnerability. But these systems are frequently (a) highly customized from the original, out-of-the-box environment; (b) hardened via some fairly impressive network segmentation and security as a general rule, (c) devoted to very specific OT uses, and not as a general-purpose OS for multiple internal users, and (d) monitored closely by engineers keen on keeping the systems reliable. There are frequently backups to these systems as well;
3- Though the maintenance end-of-life issue will raise future planning concerns for utilities, the fact is they won’t be able as a general rule to update or replace these systems easily or quickly. Modernization and update of such systems occurs more slowly due to the critical real-time, event-driven nature of some of the systems, and developing a project to switch over a system built for high-availability will be non-trivial.
There are some relatively straightforward steps that utilities can do to prepare, and most utilities have already started on implementing these (and others), or in the process of doing so. Those steps include:
– Ensure you have an accurate inventory of where Win XP systems are deployed, complete with historical information regarding length of service, hardware configurations, network connectivity, remote access, users and their credentials—all of the normal detail associated with technical or risk assessments;
– Employ a risk analysis to get a sense of “prioritization” with those systems dependent upon Win XP, i.e. which ones pose the most significant risk to the utility, which ones are most-to-least complex in current configuration and in possible replacement;
– Review current regulations regarding change management and determine with a level of assurance the impact of this deadline on current efforts to comply with NERC CIP;
– Evaluate the current market for any options related to extending the lifetime of Win XP systems while you plan the next steps of the process.
I can say to you in summary that the end-of-life of XP maintenance is a matter of concern for utilities and the smart grid in general, but in the scheme of other concerns, I don’t believe it represents the largest one, nor do I believe that the smart grid will be less secure tomorrow than it is today as a result of the change. I consistently see that most of the problems related to securing these environments arise from not following very basic, tried-and-tested policy and process for securing the infrastructure, and managing stable OS environments is part of that policy and process.
The OT-centric industry has some formidable challenges ahead, and this is but one of several.
Read Complimentary Relevant Research
Security Monitoring and Operations Primer for 2017
Security monitoring and operations excellence is a key component of any effective security program. Gartner's 2017 research will guide...
View Relevant Webinars
Equip Your IAM Risk-Based Planning With a Comprehensive Risk Model
Assessment of more than 50 large IAM deployments have shown suboptimal IAM solutions with arbitrary priorities, missing time and budget...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.