Late at night last week, a rock was thrown through my window, wrapped in a note from a NERC entity that obviously didn’t want to be identified. The note asked, “What is your take on Windows XP and CIP Version 5? If you’re running XP, are you non-compliant?” As you’re probably aware, support for XP ended last year, so there are no more patches available for vulnerabilities. On the other hand, many entities still have systems (mainly in substations and generating stations) that run custom code on top of XP. It’s a multi-year process to rewrite and re-validate that code for a new OS.
I immediately emailed this question to an unnamed compliance auditor who responded promptly that, from a strictly compliance point of view, running XP doesn’t make you non-compliant. Regarding patching, he said “Patching is not an issue. Because XP is past end-of-life, no patches are available, therefore there are none to assess for applicability. In the extremely unlikely event an emergency patch is released for XP, the entity will have to deal with it.” He went on to say “The rest of the requirements are manageable.” To repeat, from a strictly compliance point of view, running XP isn’t an issue.[i]
I then raised a further issue with the auditor: “The big problem I can see with XP is that new vulnerabilities will appear and there won’t be patches for them. Does the entity have any responsibility to mitigate these new vulnerabilities?” His answer was, “Mitigation of new vulnerabilities is a good security practice but in the absence of patches, there is nothing in the Standard to compel the entity to mitigate identified vulnerabilities. They only have to mitigate when they cannot install an applicable patch.” Of course, there are no longer any patches for XP; therefore, there is no obligation to mitigate new XP vulnerabilities as they’re identified.
However, the auditor did go on to say, “Obviously, they need to get on with replacing the XP environments - again, for reasons of good security and utility practice and not because the CIP standards compel them. They are at increasing risk because often vulnerabilities found in currently supported versions of Windows will also be present in Windows XP. So, they need to lock down their XP environments as much as they possibly can to keep them from being the cause of the first blackout due to a cyber-security incident.”
So there you have it. Running XP isn’t going to expose you to compliance risk, but it certainly does expose you to security risk. It’s certainly a good idea to try to take other steps to mitigate new vulnerabilities, since patches are no longer available. And it’s an even better idea to look for ways to move from XP to a supported OS as soon as this is feasible without impacting reliability.
Coming up next:
What if you still have OS/2?
What if you still have Windows NT?
What if you still have OpenVMS?
Note 3/4: I have just posted a follow-on to this post.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.
[i] The auditor also said, “We have seen a couple of entities still running XP in the control center. But they were well on the way of migrating to Windows 7. We still see Windows XP Embedded systems in the field. XP Embedded is supported through the end of next year, so hopefully the entities are working with their vendors to replace/upgrade the systems before XP Embedded reaches end of support.”