Less than a month after Microsoft announced that it was no longer supporting Windows XP, the company warned of a security gap in Internet Explorer that could allow hackers to take control of infected computers. The risk was so high that Microsoft back-pedaled on its vow to abandon XP, and issued a patch.
You would think that nearly all companies would long ago have updated from XP – but you would be wrong. About a third of the customers of GE Intelligent Platforms are still on XP, according to Matt Wells, general manager for automation software. Even more frightening are the 75% of water utilities that continue to run the old OS.
What’s keeping them from making the change? In many utilities and other industrial companies, a separate IT department controls business and office systems, while manufacturing runs its own computers.
“If it wasn’t broken,” said Wells, “they didn’t fix it.” The machines that run huge utility plants are expensive and have lifespans of 30 years or more. And many new apps can be added without touching the underlying operating system. “People have stayed one or two OS’s behind for quite some time,” said Bernard Cubizolles, product marketing manager for automation software with GE Intelligent Platforms.
Moreover, Wells said, many plant managers fear that a switchover will bring operations to a temporary halt, driving up costs. Depending on what’s being produced at the facility, each hour of downtime can cost between $100,000 and $1 million.
Despite these obvious risks, managers need to be convinced that the cost of doing nothing is far greater than that of updating old computer systems. An outdated OS like XP might lack the drivers that are needed to hook up with new controllers or servers. And the price of exposure to cyber-attacks is, of course, incalculable.
You have to wonder what it will take for companies to see the light. As far back as 2011, industry should have been spurred into action by reports that a hacker broke into the system of an Illinois water plant. Whether it actually happened is another question – the Department of Homeland Security denied it – but the mere possibility of a cyber-attack should have sent IT managers scurrying for new software and anti-virus protection years ago.
Operating systems interface with so many functions in an industrial setting that companies often don’t understand the full implications of a cyber breach. The corporate IT department might not even be aware of all the systems that are running in a factory or utility.
“That’s why [the end of XP] is an opportunity for us to be sending this message,” said Wells. “We want people to go have a broader look at what’s on their plant floor.”
Longer term, utilities and other industrial companies need to create a culture that embraces the upgrading of systems on a regular basis. “It is a bit of a culture clash,” said Wells. “Corporate IT has a tendency to want to move everything to a centralized architecture in the cloud, which is good. But in our industry, you do need some infrastructure on site.”
One solution is to schedule annual audits of site-level systems, to evaluate whether they’re up to snuff with current requirements. In addition, said Cubizolles, companies need to acquire up-to-date antivirus software.
Surprisingly, many in the utilities sector have failed to take even this basic step, reassured by the fact they weren’t tied into any networks. Now, with most companies required to convey their data to a central location, they are far more exposed to the risk of a cyber-attack.
Cloud computing can help to push utilities into the 21st century. But industrial environments will always require computers that run machines on the shop floor, and most won’t place day-to-day operations at the mercy of an internet connection that can be easily severed. The responsibility for ensuring regular OS updates will still rest with the plant itself.
Wells is optimistic about the prospects for change. The water utilities sector “is a very slow-moving industry,” he said. Yet that attitude of stubborn complacency appears to be fading at last. Microsoft’s announcement of non-support for XP is an obvious catalyst, even if the company did give laggards a post-deadline bailout.
“Over the past 10 years, we’ve seen more and more corporate IT getting involved at the traditional IT manufacturing level,” Wells said. “That will bring better practices into play.”
In any case, don’t expect Microsoft to ride to the rescue again. Said Wells: “This is a warning shot across the bow of these companies, to really take a harder look at their whole infrastructure.”