48,000 Windows XP PCs are still running at TEPCO … which are the risks?

Which is the impact of the Windows XP End of Life on the critical infrastructure? Recently a Government audit found 48,000 XP PCs still running at TEPCO.

One year ago the end of life for Microsoft Windows XP raised a heated debate on security for all the infrastructure that still adopt the popular OS. Windows XP was widely adopted in critical environments, Supervisory (computer) systems, Programmable logic controllers and Human–machine interface applications are still based on XP systems, and starting from April 8th 2014 they don’t receive security updates.

Consequences of Windows XP end of life can be serious if critical infrastructure owners took no actions, the number of cyber attacks is continuously increasing serious repercussions on the ability of organizations to comply with security standards.

Organize an attack against a critical infrastructure could be dramatically easier for skilled hackers, the Open Internet and the underground provide all the necessary tools and services to target system based on the dismissed Windows XP.

Clamourous the case of The Tokyo Electric Power Company (TEPCO), operator of the Stricken Fukushima Daiichi nuclear energy plant that announced a massive migration of 48,000 Windows XP machine to a newer OS.

TEPCO was recently audited by a Japanese organization, the Japan Board of Audit, which oversees the finances of Japan’s government and government agencies. The Board of Audit is interested in TEPCO because Japan is keen to see the company pay for

The Board of Audit inspected the TEPCO company following the Fukushima disaster and the request of the authorities to reclaim the area.

The audit was conducted in March with the intent to analyze the operations at TEPCO and support the company to pay the fee decided by the authorities. The Japan Board of Audit discovered that nearly 48,000 PCs running Windows XP at TEPCO were exposed online and were not upgraded for cost reduction. The circumstance if is we consider possible repercussion on the security of the company. Upgrades may even have been deferred to 2019, according to

Upgrades may even have been postponed to 2019, according to an official statement released by the TEPCO company. The Board of Audit evaluated the priority established by TEPCO considering the risk of exposure to cyber attacks and decided that the XP machine must be considered an urgent issue to solve.

“Upgrading the operating system must be done as swiftly as possible, and the firm must not push it back, given the security risks,” reported the the Board of Audit.

Let consider that the National Institute of Information and Communications Technology revealed that more than 25 billion cyberattacks hit  systems in Japan during 2014.

“The company decided, on its own initiative, to move up the deadline to update the software due to system security concerns,” said a Tepco spokesman according to The the Japan Times.

The decision of the Board is flawless if we consider that energy companies are always under attack and that possible consequence could be disastrous as happened for Saudi Aramco where a computer virus infected nearly 30,000 work stations.

If you are interested on the risks related to adoption of XP systems in critical infrastructure after the end of life give a look to a presentation I made last year on the topic at the Security Summit.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Windows XP, TEPCO)

[adrotate banner=”13″]