CyberEye

By Patrick Marshall

Blog archive
Alarm clock in front of Windows XP desktop screen

Is XP running your critical systems?

After 12 years of dominating the market for Windows operating systems, more recent Windows versions finally are beginning to replace the popular and venerable XP. But a surprising number of critical systems are still running this workhorse OS in the government enterprise and will need to be protected after Microsoft ends support in April.

Upgrading to Windows 7 or 8 would seem to be the logical solution, but as is so often the case with legacy IT, it’s more complicated than that.

“There are some people who don’t have an option to change,” said John Stubbs, director of software channels for Unisys. Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. “We were surprised by the percentage of XP devices that are still controlling those types of activities,” Stubbs said.

Pinpointing the number of devices running a particular operating system is difficult, but large-scale trends indicate that XP is not disappearing any time soon.

A 2013 study by software vendor Softchoice found XP running on 58 percent of a sample of 500,000 devices across 7,200 enterprises, down from 68 percent the year before. Most of the difference was made up by the adoption of Windows 7, with only a small uptake of Windows 8. The enterprises surveyed were private sector, but given government’s usual rate of upgrade to new technology, there is no reason to believe that agencies are ahead of this curve, Stubbs said.

The prevalence of XP in critical systems is likely to be higher than throughout the enterprise in general because once critical systems are up and running they often are left alone until they break, and upgrading them can be expensive.

Critical control systems are certified for operating in government as a whole, and a $1,000 XP machine might be running a $1 million system. Upgrading that controller could require a recertification and upgrading of the entire system, which means the software tends to be left in place for as long as possible.

This is fine as long as the OS does not have to work with new apps and protocols, but eventually it exposes the system to increased risk if it no longer is being supported and patched by the vendor.

Not surprisingly, Unisys says it has a solution for that, its Stealth suite of software. Stealth “hides” protected devices by ignoring traffic that is not from an approved Stealth source, so that devices cannot be reached by attackers. The need to isolate and hide vulnerable XP devices is opening a new market for the Stealth suite. Microsoft is also offering an expensive custom support service for XP, and there are third party subscription services that block exploits of unpatched XP vulnerabilities.

These are not permanent fixes for XP, but they can help buy time to upgrade critical systems with an operating system that has more of a future.

Posted by William Jackson on Mar 07, 2014 at 9:46 AM


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.