Impact of Windows XP End of life on Critical Infrastructure

Which is the impact of the Windows XP End of Life on the critical infrastructure? Which are the risks and the mitigation strategies that could be adopted?

This week I had the pleasure and the honor to participate as a speaker for a seminar at Rome Security Summit 2014, the theme of the event was “Impact of Windows XP End of life on Critical Infrastructure”.

The seminar was arranged by the AIIC (Association of Italian experts of Critical Infrastructure), a non-profit scientific association that was born to create and sustain an interdisciplinary culture to the developing of strategies, methodologies and technologies able to adequately govern the critical infrastructures, especially in crisis scenarios resulting from both natural catastrophes or anthropic malicious behavior.

I made the presentation with the popular cyber security expert Raoul Chiesa, together we have explored, over two months after the announcement of the End Of Live for Windows XP from Microsoft, the risks related to the presence of XP-based systems within high critical environments.

XP OS is still widely used in huge quantity of systems ranging from Cashpoint (ATM) machines to HMI/SCADA systems, analyzing data published in May, worldwide use of XP has passed from 19,79% to 16,17% in the last 6 months.

Windows XP widely adopted in critical environments, Supervisory (computer) systems), Programmable logic controllers and Human–machine interface applications are still based on XP systems, and starting from April 8th 2014 they will no more receive security updates.

According to many security experts, this could be a limited problem because the lack of patch mentality of the ICS/SCADA world, between 10 to 20 percent of organizations today actually install patches that their SCADA vendors are releasing.

It must be considered that during the XP design timeframe the overall IT scenario is changed, mobility as assumed a crucial role differently from the past, especially for HMI while technology passed from isolated and proprietary systems into open architectures. The number of cyber attacks against critical infrastructure is increased in a significant way, state-sponsored hackers, hacktivists and cyber criminals are threatening government and private businesses.

Analyzing the risks XP End of Life it is possible to distinguish:

• Technology risk factors.
• Cost risks.
• Potential liabilities and legal issues.

Consequences of Windows XP end of life can be serious if critical infrastructure owners take no actions, the number of breaches and data compromise will surely increase with serious repercussions on the ability of organizations to comply with standards and damage to corporate brand.

Organize an attack against a critical infrastructure could be dramatically easier for skilled hackers, the Open Internet and the underground provide all the necessary tools and services to cause serious problems, the fact that targeted systems are based on XP OS could give to the attackers a further vector of attack.

“If ICS is connected to the Internet, it comes with an almost 100% guarantee of its being hacked on the first day” E. Kaspersky 

The presentation includes information on the attacks against critical infrastructure with specific reference to XP systems.

Let me suggest the to give  a look of the presentation.

A Special thanks to Raoul Chiesa and to the moderators Enzo Tieghi (Vice-AIIC) and Piergiorgio M. Foti (Vice-AIIC) and to all the other participants.

• Andrea Guarino, Responsabile Tutela del Patrimonio – ACEA SPA, socio AIIC

• Angelo Luca Barba, Marketing Cyber Security – Selex ES, socio AIIC

• Giorgio Basanisi, Senior Manager Spike Reply, socio AIIC

• Andrea Carcano, CTO & Founder Nozomi Networks, socio AIIC.

Pierluigi Paganini

(Security Affairs –  Critical Infrastructure,XP )