This is definitely a different article and subject area than my regular stories on Microgrids, renewable energy, and the federal government’s energy-related activities. However, after reading it, many will walk away thinking MicroGrid solutions are more viable than ever . . . And, people that know me know that I’m not a “chicken little” and I regularly complain about some very notable cyber security mouthpieces that identify and teach where and how to exploit vulnerabilities, but offer little or nothing in the way of solutions. So, I enlisted my friend and fellow zoomie graduate, Andy Bochman from Bochman Advisors, to help with content, fact-checking, and editing support. Here’s some background on why we felt compelled to do some research, make some phone calls, and write this story.
One of my co-workers, Kevin Brown, works for a BUNCH of utility companies doing penetration testing on a variety of devices. Sometime last year, Kevin and I talked about Microsoft’s decision to end support for Windows XP on April 8, 2014. We talked about potential impact to banks and utilities – and the effect it might have on U.S. and world economies if those systems were compromised. This long-telegraphed move by Microsoft (first announced in 2007) has profound implications for multiple critical infrastructure industries upon which entire economies are based. Here in the U.S., many electric utility field devices use Windows XP embedded to provide processing, communication, and intelligence to transmission and distribution networks. These devices have served very useful lives, providing rugged, upgradeable, patchable environments that can be kept current and which help manage electricity service to hundreds of millions of consumers.
For Microsoft, it makes financial sense to stop supporting an operating system that is well over a decade old – released in 2001. For utility and banking systems, it is a shot across the bow, a visceral reminder of their dependency on 3rd party technologies, and an event that has profound financial implications for their organizations. For utilities that normally have field equipment life expectancies of 20+ years, it reinforces the new reality of operating in a “smart grid” where shorter technology lifecycles defy the “business as usual” paradigm utilities and regulators previously operated under. Their urgent task now: develop a strategy and budget CAPEX resources to address the end-of-life cyber security risks exposed by this decision.
It is easy to understand utilities’ and device manufacturers’ reluctance to move to a new operating system. XP was solid. Everything worked nicely and vulnerabilities were addressed with Microsoft patches, which in most cases could be applied over the network as needed. As a software developer myself for the first 15 years of my career and a complete Microsoft groupie junkie, Windows XP coupled with VB4 and Visual C++ provided a truly powerful, programmer-friendly, and stable environment for software development teams. Microsoft followed that up with Windows Vista, Windows 7, and now Windows 8, all of which many programmers would argue were steps backward from the old reliable Windows XP. In the meantime, the mobile world exploded with Apple’s iOS and Google’s Android operating systems. And the giant slept. Microsoft lost its groupie following of programmers and spent enormous amounts of time patching their OS’s against ever-increasing and ever-more-ingenious attacks from cyber punks.
In September 2007, Microsoft announced their decision to end support of XP. Vista had just been released to a tepid public response and patch after patch after patch. Confidence in Vista and subsequent operating systems has never been as strong as it was in XP – many companies and government agencies still use XP to this day and are in the same situation as utilities and banks, either transitioning to Windows 7 or leaping across operating system versions to Windows 8.