On the 8th of April 2014, Microsoft effectively “pulled the plug” on its decade plus old operating system Windows XP. What this translates to for end users is fairly simple. Their Windows XP computer won’t stop running, but any future security issues that are identified with the Operating System will not be fix via a patch from Microsoft.
Why does this matter? As recently as February of 2014 by NetMarketShare shows that Windows XP still accounts for a fourth or a third of the computer systems running worldwide. That means up to a one-third of the world’s computers are no longer receiving security patches!
Outside of the home user that just does web surfing and typing word documents, there are thousands of businesses that still run XP as part of their end-user environment and network infrastructure. Infrastructure being the keyword, we are talking about things like ATM’s, medical devices/equipment, standalone Kiosk systems, digital security systems for buildings and Industrial Control Systems.
That last one might have you stumped a bit, don’t worry. Many in the IT field don’t have a good understanding of what they are or how it affects the IT industry. Industrial Control Systems include systems like SCADA (supervisory control and data acquisition), distributed control systems (DCS), and programmable logic controllers (PLC). These are the systems that control your utilities, amusement rides and run many industrial processing plants. Historically these systems have what would be considered very poor patch compliance since they are often deemed “Critical Systems” and might get patch as infrequently as once a year if at all.
Up until now, a malicious hacker had to get in to the system first to know if it was patch or not to see what exploits they could run. Now, since end of life for Windows XP, it becomes the wild wild west for these critical systems. When a vulnerability is discovered, you now know that every system running Windows XP is not only vulnerable, but will ALWAYS be vulnerable.
You might be thinking, how likely is an attack against an Industrial Control System? They are more likely than you would guess! The most famous attack against these types of systems was the infamous “Stuxnet” attack against the Iranian Nuclear Centrifuges, ruining one fifth of their assets. In 2013 a researcher at TrendMicro use a “honeypot” simulation of an Industrial Control System for a water pump facility in rural Missouri. This phantom system was attacked 17 times over a 4 month period of time. 12 of those attacks were deemed “serious” with attack sources from China, Laos, Russia and Palestine.
This is a major issue. So much so that recently the United Kingdom paid $9.1 billion dollars (US currency) to extend the support of Windows XP until July of 2015. The Netherlands government also purchased an extend support contract for its upwards of 4000 civil service employees still using Windows XP. Recent reports have indicated that even US Government Agencies have shelled out millions for extended support, most notably the Internal Revenue Service.
Even with extended support agreements, at $200 a system per year, there is only so long that it is financially responsible to extend the support, especially when computers can be purchased new with the latest Operating System for under $400. It will take and aggressive Operating System migration/computer replacement plan to root out all those hidden systems before the risk will be mitigated.