Public Utilities Have a Serious Windows XP Problem

Public Utilities Have a Serious Windows XP Problem

June 5

A week or so ago, my fellow StorageCraft blogger Christine Hall discussed the number of large organizations and agencies that are still using outdated technologies, from the 75% of water utilities still using Windows XP to our nuclear missile stores that still are managed by floppy disks!

If it’s all right with you, I’m just going to be in denial about the latter.

So let’s stick with public utilities for now. Last March, Wall Street Journal reporter Rachael King wrote that 59% of the cyber incidents reported to the Department of Homeland Security came from the energy sector.

King quoted Michael Assante, “former vice president and chief security officer for the North American Electric Reliability Corp. and former chief security officer for American Electric Power Co. Inc.,” as saying that Windows XP is still the dominant operating system on workstations in nearly every electric and gas utility in the U.S.

I’m stunned at these statistics. Although Microsoft officially ended support for Windows XP last April 8, the company ended mainstream support for back in 2009! Microsoft reportedly is offering a custom support option estimated to have a $250,000 price cap for a year’s worth of service; however, this option is unlikely to bail out the average utility without some seismic structural and procedural changes from the utility itself.

Traditionally the lifecycle for industrial control system software has been 10-15 years, if not longer, according to Assante. Most utilities migrated to Windows XP in the early 2000s from mainframe Unix systems, which were in place for several decades.

But even in the days of the ILOVEYOU worm, cyberattackers weren’t remotely the problem they are now. The potential for zero day exploits is “incredibly high,” Patrick C. Miller, founder of the nonprofit Energy Sector Security Consortium, told King.

Another unnamed source of King’s gave an example of one scenario:

Utility staff trusts levels, values and alerts these systems give them, said one security expert who formerly conducted security audits for various utilities…a management workstation at a gas utility could possibly be hacked to make it falsely report low pressure in a gas line. An analyst that raises the pressure to compensate could unknowingly create an explosion.

Unfortunately, migrating to Windows 8 or to a Linux-based OS is extremely expensive. To quote Miller:

It can take years to upgrade to a newer operating system and it can cost more than $100 million to upgrade those systems, he said. Partly, that has to do with customization and interoperability testing to make sure the new software works with legacy systems. In most cases, software suppliers have clauses in contracts that would void the warranties if utilities tried to upgrade the operating system themselves.

Given the obstacles, what can be done besides waiting for the inevitable disaster to take place? Stuart McCafferty and Andy Bochman at SmartGridNews.com came up with a “four-fold” answer, the first of which discusses how Microsoft could modify their “custom support” option:

Perhaps Microsoft is willing to consider lower fees or smaller caps for vendors that cannot afford the costs of Microsoft’s security hot patches. There is a new visionary CEO in town with Satya Nadella and a man in Bill Gates that has dedicated his life to philanthropy and good will. The opportunity is there and vulnerable critical infrastructure is as much a threat to Microsoft’s business as anyone.

I like this superhero approach to solving the problem, but we shouldn’t count on Bill Gates donating a few billion dollars to save the day. Instead, as McCafferty and Bochman wrote, “We have the capability of mitigating this threat, but it is simply going to take more time than remains and there will be a period of uncomfortably long exposure.”

Photo credit: wfmillar via Wikimedia.