Is XP running your critical systems?
Connecting state and local government leaders
More current Windows versions finally are replacing Microsoft's XP operating system, but a surprising number of critical systems are still running the 12-year-old OS and will need to be protected after Microsoft ends its support in April.
After 12 years of dominating the market for Windows operating systems, more recent Windows versions finally are beginning to replace the popular and venerable XP. But a surprising number of critical systems are still running this workhorse OS in the government enterprise and will need to be protected after Microsoft ends support in April.
Upgrading to Windows 7 or 8 would seem to be the logical solution, but as is so often the case with legacy IT, it’s more complicated than that.
“There are some people who don’t have an option to change,” said John Stubbs, director of software channels for Unisys. Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. “We were surprised by the percentage of XP devices that are still controlling those types of activities,” Stubbs said.
Pinpointing the number of devices running a particular operating system is difficult, but large-scale trends indicate that XP is not disappearing any time soon.
A 2013 study by software vendor Softchoice found XP running on 58 percent of a sample of 500,000 devices across 7,200 enterprises, down from 68 percent the year before. Most of the difference was made up by the adoption of Windows 7, with only a small uptake of Windows 8. The enterprises surveyed were private sector, but given government’s usual rate of upgrade to new technology, there is no reason to believe that agencies are ahead of this curve, Stubbs said.
The prevalence of XP in critical systems is likely to be higher than throughout the enterprise in general because once critical systems are up and running they often are left alone until they break, and upgrading them can be expensive.
Critical control systems are certified for operating in government as a whole, and a $1,000 XP machine might be running a $1 million system. Upgrading that controller could require a recertification and upgrading of the entire system, which means the software tends to be left in place for as long as possible.
This is fine as long as the OS does not have to work with new apps and protocols, but eventually it exposes the system to increased risk if it no longer is being supported and patched by the vendor.
Not surprisingly, Unisys says it has a solution for that, its Stealth suite of software. Stealth “hides” protected devices by ignoring traffic that is not from an approved Stealth source, so that devices cannot be reached by attackers. The need to isolate and hide vulnerable XP devices is opening a new market for the Stealth suite. Microsoft is also offering an expensive custom support service for XP, and there are third party subscription services that block exploits of unpatched XP vulnerabilities.
These are not permanent fixes for XP, but they can help buy time to upgrade critical systems with an operating system that has more of a future.