The risk to manufacturing organizations caused by the end of service of Windows XP for industrial applications is a serious one. After all, the Windows XP operating system not only runs on the desktops and laptops in manufacturing front offices and engineering departments around the globe, but also in the ruggedized PCs running PLC, DCS and other device configuration/monitoring applications in your production operations. And then there are all the instances of XP in the embedded components in thousands of devices that control factory automation and process control operations.
Considering the ubiquity of Windows XP in manufacturing and the cessation of support for the platform by Microsoft, manufacturers are faced with three options: 1) Do nothing and hope for the best; 2) Upgrade to a new version of Windows—this is ultimately necessary, but much easier said than done; or 3) Implement industrial firewalls to protect your existing Windows XP systems as you move through the upgrade process.
With these three options in mind, let's take a close look at each.
Option 1: Maintain the Status Quo and Do Nothing
Let’s say you love the stability of the Windows XP OS and don’t want to upgrade. Perhaps you have never implemented any Windows XP patches over the last 10 years and you don’t recall having a serious problem with computers, devices or applications over the time the OS has been in service.
However, you’ve probably seen a few situations where the computer or the application had some unexplained problem. Resolving them required a call to Microsoft or a software vendor to provide a patch, new driver or some other software reload to return your system to normal.
Now, you need to decide if the risk of this kind of incident—with no support available—is a situation that fits with your operation’s uptime requirements.
Don’t forget that any USB or laptop connecting to the industrial network going forward could accidentally introduce a virus or malware that could impact a Windows XP-based system. And then there’s the issue of cyber attacks on industrial systems having increased dramatically over the last five years, and the end of service for Windows XP may trigger malware attacks directed at it.
Option 2: Migrate to a New Version of Windows
The timeframe for doing this can range from 12-24 months for a complete change out to ensure everything works as it should once it’s put back together.
To begin, create an inventory of the Windows XP and non-XP OS assets in your plant network. Next, consider the Windows XP upgrade domino effect and identify the areas in it that will present the biggest challenges to your organization.
The domino effect, when upgrading the operating system in a manufacturing environment, means that:
- You’ll need new PC hardware and/or automation devices;
- This new equipment will require new software;
- The new software will require new drivers;
- Some automation devices won’t work with the new software and drivers and may need to be replaced;
- Mission-critical applications may begin to behave differently with the new software and hardware and system integration work will be required;
- The modified applications need to be deployed;
- Extensive testing of the new systems is required;
- User training and support for the new systems are required; and
- Meanwhile, operational productivity is lost to the migration project.
Taking into account all of these challenges, take the time to create your plan and be sure to include the right budget and people to get the job done. When it comes to timing estimates, be generous. These projects often take 3-5 times longer than the time allotted for them. Then take a deep breath and remember that OS migration, while necessary, won’t get done overnight.
Option 3: Reduce Downtime Risk Using Industrial Firewalls
To provide immediate protection while you deploy your longer-term plan of migrating away from Windows XP and dealing with those devices that cannot be migrated from the Windows XP OS to a supported platform, another option is to deploy industrial firewalls. These devices can be easily configured to block network traffic, which can exploit vulnerabilities in Windows XP-based systems, while still allowing them to perform their primary functions without interruption. The advantages of industrial firewalls include:
- Ability to be deployed into live networks without disrupting production;
- Are simple to install and configure;
- Are designed for industrial deployment from the ground up, through rugged design and certification;
- May have built-in intelligence about industrial protocols and be able to provide superior protection through technology called Deep Packet Inspection
- Can be implemented without requiring action on any of the Windows XP upgrade dominoes.
Though the end of service for Windows XP means we need to say good-bye to a trusted component of the industrial application ecosystem, we must all realize that it is not going to be easy or fast to replace this component. While your Windows XP upgrade planning and execution is underway, take immediate steps to secure your operations. We recommend installing industrial firewalls as an immediate security solution because it requires minimal staff time, can be completed quickly, has low training and support requirements, does not involve upgrading or replacing other systems, and is cost effective. Using industrial firewalls gives you immediate peace of mind regarding cyber security plus the freedom to migrate away from Windows XP on your own schedule.
The video below, featuring Mike Miclot of Belden, explains what the end of service for Microsoft XP means for industrial users.