Microsoft Extended Support and Security Updates for Windows 2000 will cease in July 2010. Migrating to a new operating system can be time-consuming, disruptive and expensive, so Torsten Rössel presents an alternative.
Microsoft Windows operating systems are widely used for networked industrial automation equipment. Unfortunately, these industrial Windows applications, like their counterparts in office networks, are also vulnerable to known and new Windows security loopholes that continue to be discovered and exploited. Microsoft's Lifecycle Policy for business and developer products provides five years of Mainstream Support and five years of Extended Support, during which necessary Security Updates are available for a total of 10 years. The lifetime of industrial machinery and other capital equipment, however, is often 20 years or more. The much shorter lifecycle of software suggests that it will usually not survive as long as the equipment it serves.
Mainstream Support for Windows 2000 ended in June 2005. In July 2010 the Extended Support for Windows 2000 will also expire. While Windows 2000 has enjoyed a ten-year run, other earlier operating systems did not: support for Windows 95 expired in December 2001; support for Windows NT 4.0 expired after eight years in June 2004; and support for Windows 98 expired in July 2006. Common sense, good business judgement and IT security policies dictate planning ahead for the demise of current software support.
What to do?
Proceeding with 'business as usual' while keeping both eyes firmly shut is not a recommended course of action. Worms, viruses, Trojans, and hacker exploits are problems not to be ignored. The widespread popularity of Microsoft operating systems has made them an appealing target for malware creators. In 2008, Microsoft issued thirty-six Security Updates relevant for Windows 2000, including nineteen classified as Critical, the highest classification. Another sixteen Security Updates were classified as Important. Then, in 2009, Microsoft released an even larger number Security Updates, forty-eight for the nine-year-old system, thirty-one of them Critical and sixteen Important! In fact, in every month of 2009, at least one additional breed of malware had to be dealt with by a new version of the Microsoft Windows Malicious Software Removal Tool distributed with the other monthly system updates. The notorious Conficker worm proved to be a particularly troublesome issue, as well as the dangerous and versatile Trojans Waledac and the Bredolab downloader, ushering in a plethora of evil malware and spyware from servers hosted mostly in Russia and China. The expiration of support for Windows 2000 means the end of available and automated security updates against these kinds of threats.
An obvious solution to the problem, of course, is to upgrade to a newer operating system with support now and for the near future. But upgrades are costly; new licenses need to be purchased and new software installed. And, as new versions of Windows tend to be ever more hungry for resources, they often require the acquisition of new hardware and infrastructure as well. That is when the dreaded 'unanticipated consequences begin to occur, involving considerable extra work and expense. Certified systems and automated manufacturing processes typically require reiteration of an expensive approval process when altering any of their components. As a result of production complications greater than those in the office environment, significant upgrade expenses can quickly accumulate. And who wants the responsibility of triggering that cost avalanche when it is very difficult to calculate the potential security risks and the risks of unforeseen glitches that can affect production? Common sense and demonstrated logic often dictate "if it's not broke, let's not 'fix' it."
Retrofitting distributed security appliances
What virtually all software security risks share in common is that they are based on the weaknesses and vulnerabilities of network protocols and services. Hacker exploits and malware use these weaknesses over an IP-based network to gain access, control and opportunities for damage and proliferation. If security updates against newly discovered vulnerabilities are no longer available, there is an increased risk to the unsupported system, which must continue to communicate with other network nodes, and often with portions of the outside world (engineering and programming consultants, remote maintenance services, etc). The days of a truly isolated production network are rapidly disappearing. But while vital system interconnections are obviously impossible to eliminate, most other types of potential network communication can be blocked as a means to reduce the risk of infections.
It is the purpose of firewalls to control and selectively filter unrestricted Ethernet and IP-based communications on the network. In addition to front office firewalls, there are industrial network security appliances that are needed to provide 'defence in depth' on the factory floor. This method of protection is better, faster, cost-effective and easily installed by technicians rather than network administrators. Availability is in various industrial-rated designs; for DIN-rail mounting, for 19-inch rack mounting in cabinets, as PCI cards or as dongle-style patch cords. An example is the family of award-winning mGuard products from Innominate Security Technologies, Phoenix Contact and select others (see photo).
As a result of a patented Stealth Mode, these products are completely transparent, automatically assuming the MAC and IP address of the equipment to which they are connected so that no additional addresses are required for the management of the network devices. No changes need to be made to the network configuration of the existing systems involved. Yet the devices operate invisibly and transparently, monitoring and filtering traffic to the protected systems by providing a Stateful Packet Firewall according to rules configured via templates from a centrally located server. And thanks to their bi-directional 'Wire Speed' capability, mGuard appliances will not add any perceptible bottlenecks to a 100Mb/s Ethernet network.
If required, the security of networked equipment may be further enhanced by additional mGuard features. Configuration of specific user firewall rules can restrict the type and duration of access for authorised individuals, who may login and authenticate themselves from varying locations, PCs and IP addresses. Virtual Private Network (VPN) functions provide for secure authentication of remote stations, and the encryption of data traffic. The unique mGuard CIFS Integrity Monitoring functionality protects Windows file systems against unexpected modifications of executable code by malware, for instance. Common Internet File System / Server Message Blocks (CIFS/SMB) are the protocols behind Windows file sharing. Thus customers, in the automotive industry and others, have already used the mGuard system with excellent results in providing security for older production systems using Windows 95, Windows 98 and Windows NT.
There is always a concern that a reckless, blanket implementation of software patches and security updates will inadvertently affect the operation, stability and quality of production, without extensive (and expensive) certification tests prior to implementation. Thus 'never touch a running system' approach is the dominant principle in production. The costs of certification and risks of warranty claims against machinery and equipment suppliers are such that many embedded PC systems are operated without software patches and security updates. They are therefore treated as non-patchable, long before the end of their Extended Support. All of these non-patchable systems can also be provided with enhanced security by the same method of retrofitting Stealth Mode security appliances to them, as described in the previous paragraphs.
The clock is ticking. In a few months, untold numbers of Windows 2000 systems will no longer have access to Extended Support and Security Updates when these end in July 2010. Nor may there be adequate time for analysis and evaluation of alternatives, decision making, planning, preparation and implementation of a new operating system. The right time to act is now. And there are proven 'defence in depth' security products available to provide protection for industrial networks.
For more information about current threats to networked industrial equipment, a comprehensive 18-page White Paper Hacking the Industrial Network, including footnotes, clickable Internet research links and detailed references, is available for download at www.innominate.com.