SOURCE: Walls Street Journal
Some 300 million computers, including many that manage water, electric and sewage treatment plants and ATMs, will soon be left unprotected from new security threats.
Microsoft Corp. will stop providing updates to its Windows XP operating system after April 8, leaving holes in some computers running industrial systems as well as PCs at many government agencies.
Despite the publicity generated by this deadline, more than 10% of computers used in government and corporations world-wide will still use the 12-year-old operating system, according to cybersecurity firm Qualys Inc. Including consumer PCs, the share of desktops running XP is nearly 30%, according to researcher NetApplications.
Microsoft has been warning its customers of the coming change for years—it even has a countdown clock on its website. As the deadline approaches, the U.S. government has been urging IT administrators at utility companies and other constituents to upgrade.
The software giant itself will further contribute to the problem in May, when Microsoft issues updates to Windows 7 and Windows 8, more modern operating systems built on a similar blueprint as XP. The patches Microsoft sends for those operating systems will be pointing hackers to possible weak spots in XP without supplying the fix.
“[It's like] there’s a big air bubble on the side of your tire and it’s going to fail. It’s not a question of if, it’s a question of when,” said Mark Bernardo, general manager of automation software at General Electric Co. GE 0.00% ‘s Intelligent Platforms division. The unit sells industrial control systems and software used to manage everything from electricity flow in power plants to assembly lines at manufacturers.
Between 30% and 35% of his customers are still using XP, said Mr. Bernardo. Over the last year, GE has tried to get its customers to upgrade to Windows 7.1, which is four years old. He said the most reluctant to upgrade, by far, have been water and wastewater utilities, due to the cost, he said. One water utility in Merrill, Wisc., spent $700 per computer to upgrade to Windows 7.1, including hardware.
About 95% of the 211,000 ATMs owned by financial institutions, run some version of XP. But some of those machines run on a unique version Microsoft will support until 2016, according to a Department of Homeland Security memo sent in March. Independent companies, such as gas stations, own another 210,000.
Executives at major financial institutions say they have taken steps to mitigate the problem. Part of that response may be software that prevents any new software from being uploaded to the ATMs—what security experts call whitelisting.
“Citibank is in the process of migrating ATMs away from Windows XP,” Citigroup Inc. spokesman Andrew Brent said. “We have plans in place that will maintain the protection of our ATMs during this transition.” Other large banks offered similar assurances.
One reason companies have been slow to upgrade their operating systems is the complexity, especially for some older ATMs that require physical visits for an upgrade. “It’s not as simple as upgrading a desktop PC… When it comes to an ATM, it’s a whole different ballgame,” said Robert Johnson, director of enterprise software at NCR Corp., which claims a 30% market share for ATMs in the U.S. and globally.
Hackers have a long history of taking advantage of unprotected software to create damage in the physical world. Vulnerabilities in XP were among those exploited by the Stuxnet virus that was reported in 2010 to have destroyed centrifuges in Iran’s nuclear-enrichment facilities in Natanz, according to Roel Schouwenberg, principal security researcher at security firm Kaspersky Lab.
Hackers who brought down South Korean ATMs and other systems last spring used at least one piece of malicious code that targeted XP, according to researchers at security firm Symantec Corp.
The U.S. government is trying to raise the alarm about the physical damage that can occur. A July 2012 memo from the Environmental Protection Agency to U.S. water utilities highlighted a breach to computer systems in Queensland, Australia that resulted in 264,000 tons of sewage being released into streams and park land. According to the same memo, a hacker used the Internet to penetrate security of a Harrisburg, Pa., water filtering plant in 2006. The intruder planted malicious software that was capable of affecting the plant’s water treatment operations, the EPA said. The EPA didn’t identify the operating system that was penetrated in either case.
In May 2013, security firm Invincea Inc. found hackers used a flaw in XP systems running Internet Explorer 8 to target visitors to a Department of Labor website detailing rights of workers who deal with nuclear materials. “The target wasn’t the Department of Labor, it was the people who would visit a website about the hazard of dealing with nuclear materials,” said Anup Ghosh, the CEO of Invincea.
XP, introduced by Microsoft in 2001, is a tempting target because it remains so prevalent, and it is known to be vulnerable to cyberattacks. “If there’s one core reason we’re retiring the operating systems, it’s security issues,” said Microsoft spokesman Tom Murphy.
Beginning in May, many of the patches Microsoft creates for Windows 7 and Windows 8 still would apply to Windows XP, since the systems have similar code. “We are aware that Microsoft updates are often reverse-engineered to determine the root cause,” said Mr. Murphy, who said this is a major reason why the company is encouraging customers to upgrade.
“Do we want people to buy the latest version of our operating system? Yes we do,” Mr. Murphy said. But he noted that the company supported Windows XP for two years longer than any other operating system.