Reduce Windows XP Risk with Industrial Firewalls

Oct. 27, 2014
While many IT-supported computers have been migrated to a newer version of Windows, industrial devices and machines that run the embedded version of Windows XP are not easily upgraded. Since Windows XP is no longer supported by Microsoft and is becoming the focus of hacker attacks, here’s what should you do to protect your operation.

You are likely well aware that Microsoft ended support for the Windows XP operating system earlier this year. Since that milestone, many organizations have realized they have to move to a newer version of Windows. Doing so is playing out very differently on the IT (enterprise) side of the organization than it is on the OT (operations technology) side.

Many PCs on the enterprise side of the business have been upgraded to Windows 7 or 8. In most cases this has been done without much coordination with users or distraction to the business. For example, if someone’s PC was negatively impacted, IT could fix it the next day. Such a process may have extended to some engineering computers or HMI stations, but would not have taken place for computers and industrial devices on the factory or plant floor.

And because there is such an “if it ain’t broke don’t fix it” approach on the OT side of the house, there has been a huge reluctance to upgrade — and with good reason. Control network systems cannot easily be brought to a halt for an operating system upgrade. And, for the many devices and machines using Windows XP Embedded, there may not be an easy upgrade without replacing the asset.

Addressing Your Risk Now
You may be thinking there is no urgency to move industrial systems to a newer version of Windows. Perhaps you have never implemented any patches over the last ten years and you have not had a serious problem. Well, think again.

Timothy Rains, a director in Microsoft’s Trustworthy Computing division, recently identified security updates for Windows 7 and 8 computers as being a high threat agent for systems running Windows XP. “The probability of attackers using security updates for Windows 7, 8, and Vista to attack Windows XP is about 100 percent,” he said.

With Microsoft saying its own updates are a threat vector, perhaps it’s time to take action to reduce the downtime and productivity risks related to using Windows XP.

As you go through this process, however, you should realize that the challenge of moving away from Windows XP is not that easy. To understand better, consider the domino effect associated with upgrading from Windows XP:

  • You’ll need new PC hardware and/or automation devices;
  • This new equipment will require new software;
  • The new software may require new drivers;
  • Some automation devices won’t work with the new software and drivers and may need to be replaced;
  • Mission-critical applications may begin to behave differently with the new software and hardware, meaning that system integration work will be required;
  • The modified applications need to be deployed;
  • Extensive testing of the new systems is required;
  • User training and support for the new systems are required; and
  • Operational productivity will be lost to the migration project.

Even with all these challenges, there is a way forward that protects your mission critical systems now and lets you migrate to a new version of Windows according to your own schedule. That way involves the implementation of industrial firewalls.

Why You Need An Industrial Firewall
If you talk about Windows XP risk with your IT counterparts, they may not understand why you can’t implement Windows updates like they did. You can clear things up for them simply by explaining the impact of downtime, new equipment requirements, and system testing.

In response, IT may suggest using antivirus software from Symantec or McAfee, or a firewall device from their preferred enterprise networking equipment supplier. While this may be a good start, it won’t be a complete solution for you. As a control engineer or person responsible for operational efficiency, you can’t bring systems down just to install the latest antivirus patch.

Additionally, IT firewalls that protect the edge of your control networks are fine and serve an important purpose, but they can’t be used to secure the crown jewels at the core of your production systems. Why? Because you can’t readily reboot control system devices for updates and industrial systems use protocols not understood by IT firewalls. And that’s not even getting into threats that originate from Windows updates on non-control computers within the control network.

Furthermore, perimeter edge firewall use is insufficient protection for control networks because of the many pathways into the control network, such as supplier laptops and USB keys. Plus, research shows that most industrial cyber security incidents are unintentional and originate within the network.

The Ease of Industrial Firewalls
Let’s be clear, sooner or later you’re going to have to move away from Windows XP. The sooner the better; but it will take a plan and a significant period of time. Even then, certain assets may not be able to migrate away from Windows XP due to the difficulty of upgrading, costs, etc.

So, what do you do in the meantime?

Consider industrial firewalls as an immediate way to protect your mission-critical assets. They are cost effective and they are designed to address the unique security risks and uptime requirements of control networks.

Here’s why:

  1. Industrial firewalls can and should be easy to deploy. To ensure this, check to see if it can be installed without having to reassign IP addresses and without having to shut anything down.
  2. Industrial firewalls commonly support “do no harm” principles. This principle basically means that, once you plug the device in you can select predefined rule sets based on your automation equipment and then monitor traffic on network. The firewall allows you to see what traffic will be blocked when the rule sets are activated and you can make adjustments before going live.
  3. Support for the industrial protocols you use. Be sure to ask about this when researching industrial firewalls. Firewalls using a technology called Deep Packet Inspection should allow the firewall to inspect Modbus commands and allow the read commands necessary for production, but block write commands.

The good news is that you do not need to lose sleep or embark on a mammoth project to protect your systems from risks related to Windows XP. The way to protect mission critical systems now and migrate to a new version of Windows according to your own schedule is as simple as installing industrial firewalls.

For more information, download Belden’s white paper “Windows XP End of Service: Practical Options for Industrial Applications”.

The short video below demonstrates how easy it is install industrial firewalls.

Companies in this Article