In April 2014, Microsoft stopped issuing security patches for its XP operating system. While the move had been announced two years previously, many corporate operations – including building management and industrial automation systems – have yet to migrate to supported operating systems. Given XP’s presence throughout such systems and devices, both in the United States and around the globe, managers should ensure backup approaches are in place, including uninterruptible power, should the operating system’s security be breached, even as they move forward with transition planning.
Prior to discontinuing support for XP, Microsoft issued regular security updates as weaknesses were discovered in the program’s code. Now that such support has ended, XP is vulnerable to outside hackers conducting “zero day” attacks – that is, attacks taking advantage of previously unknown weaknesses. Control centers could be especially tempting targets, since those workstations often can access HVAC, electrical and life safety and security systems throughout a building, campus or industrial plant. Those facilities lacking uninterruptible power supplies or other backup options could find themselves in the dark if their XP-based controls are compromised.
And, even if your facility’s operations have long since migrated to more current – and supported – operating systems, your electricity supply might still be at risk if your utility is still working with XP-based control systems. This isn’t a farfetched possibility, with XP a common presence in workstations across the electric utility industry. And, as this article from the Wall Street Journal’s CIO Journal points out, the security software firm Symantec discovered a hacker group actively targeting the energy grid, major electric utilities and petroleum pipeline operators in the spring of 2014, soon after Microsoft ended its support.
Similarly, ICS-CERT (the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team) has issued a warning to all organizations working with Internet-accessible control systems, following its discovery that an outside hacker had gained unauthorized access to a public utility’s control-system network. Such threats will only continue to grow as the Internet of Things spreads throughout formerly inaccessible control, alert and level-checking devices. And this risk won’t be going away anytime soon – upgrading existing utility control equipment and software to enable new operating systems is both technically challenging and extremely expensive, so it could be years before the hazards posed by insecure XP-based controls have been eliminated.
The ICS-CERT warning also includes suggested practices that could help lessen the possibility of a successful cyber-attack for all facilities, whether working with XP or not – and it’s advice international operations would be advised to consider as well. These include:
- Minimize network exposure for all control system devices – locate them behind firewalls and isolate them from the business network.
- When remote access is required, use virtual private networks and other secure methods for such communication.
- Remove, disable or rename any default system accounts, wherever possible.
- Implement account-lockout policies to reduce risk from brute forcing attempts.
- Keep up to date on currently active threats through ICS-CERT Alerts.
In the end, whether you’ve upgraded your operating system or not, Schneider Electric also can help you evaluate your facility’s backup power needs. We offer a wide range of power-protection systems designed for any industry and infrastructure environment. Visit our site for more information.