The Problem
Microsoft has announced that April 8, 2014 will mark the “End of Support” for Windows XP and Office 2013. The announcement has IT folks scrambling to migrate any remaining XP machines to newer operating systems. At the same time, it has automation personnel wondering how big an issue the whole “End of Support” issue really is for them. After all, automation computers are usually separated from business networks by firewalls (or ought to be) if not completely isolated.
The cost of upgrading computer hardware and software on a properly functioning manufacturing system can be a bitter pill to swallow, particularly when it’s unclear if the upgrade is really needed. We’ll explain why the migration is probably necessary and offer some suggestions to ease the pain.
Why It Really Is a Problem
It’s important to understand that “End of Support” really means that Microsoft will stop offering patches to correct security vulnerabilities found in the Windows XP operating system.
As a result, computers running Windows XP after that date will be at an increased risk malware attacks.
Even computers that are behind a firewall or installed on isolated networks can be exposed to such attacks via USB drives, cell phones or vendor laptops. Consider further, that a misplaced patch cable in a network panel could inadvertently allow an outside connection to the system. If not caught quickly by the network administrator this would provide an avenue for unwanted access to the entire Industrial Control System and any other connected systems (business network, finance, etc.). If a malware attack is able to compromise your workstation and propagate to the other nodes on the network, your SCADA/HMI workstations can become inoperative.
The US Department of Homeland Security offers regular updates on control system security issues. A quick perusal of the list of advisories published on the ICS-CERT website offers a glimpse into the sorts of issues that can be encountered by control systems owners if the proper measures are not taken.
Because they will now be particularly vulnerable to such attacks, Windows XP machines will quickly become a liability that most manufacturing operations won’t want to tolerate. This is one case where the IT group has it right.
Pay Me Now or Pay Me Later
Consider too that the Windows XP machine will eventually require a hardware upgrade due to hardware failure or compatibility issues, even if they’re operating properly right now. The cost of the Windows 7 license, configuration and workstation is going to be the same whether you wait for a catastrophic event or if you plan the migration. The cost of the downtime required for the migration, however, may be much different.
When the time comes to update, the new hardware may not have drivers available to work with Windows XP. The current version of the Industrial Control Systems (ICS) applications (iFix, Proficy, Wonderware, RsView32, Win CC) running on the legacy workstation typically won’t operate in the Windows 7 environment without an upgrade. Overcoming these challenges while your system is down is not conducive to sleep, a happy marriage, or becoming a world class musician in your spare time……
An Example
Talos has recently performed conversion projects for several of our customers who needed to upgrade from RSView32 to FactoryTalk View SE because of compatibility issues in the former with the newer Microsoft operating systems.
One such customer (in an industry categorized as critical infrastructure by the US Department of Homeland Security) failed a security audit based on one Windows XP machine running RSView32. The vulnerability prompted a discussion with us to review their system as a whole. We were able to upgrade the hardware, operating system and control system software (FactoryTalk View SE) simultaneously. This allowed the system to be configured, tested then deployed with no downtime for debugging. We estimate that if they had waited for a failure, the cost of downtime and recovery would have been at least three times what it was in this case.
What to Do
Fortunately, most of the major automation hardware and software vendors have issued white papers or maintain websites offering information about the impact of the end of support for XP on their systems, along with tips for migration. Many also offer discounts on upgrades for existing customers. Be sure to inquire about this before you pay full price for the new software.
Another positive: the prospect of upgrading from XP offers and ideal opportunity to look for other system components which are deserving of attention. Do you have current backups of all application software (PLC programs, HMI projects, drive configuration files, historian configurations, etc.)? Are application software patches up to date? Is the control hardware firmware up to date? Is replacement hardware for the control system still available, or is it outdated as well? Our advice is to audit your current systems for not only security reasons but for backup, recovery and restoration purposes as well. Failure to keep systems current today are likely to cost you in production downtime, lost data and reliability in the future.
If you have any questions about the services of Talos Engineering, call or email and we’ll be glad to work with you to arrive at your best solution to migrate from Windows XP to Windows 7 or Windows 8.
– Brian, Jason