In July 2010, Microsoft will end its Extended Support and Security Updates for Windows 2000. One option is upgrading to a new system, but this can be time-consuming and expensive. Proven security products will offer drop-in protection for industrial networks while also providing “defense in depth” to increase security and reduce vulnerabilities.
Introduction
All things come to an end. And so it is with Microsoft Extended Support and Security Updates for Windows 2000, which will expire in July 2010. Any manufacturer with industrial applications based on Windows 2000 may wisely be considering a newer operating system right now, in order to remain in production with the needed security support.
But migrating to a new operating system can be time-consuming, disruptive, and expensive.
Are there any better alternatives? This paper presents one proven solution.
Microsoft Windows operating systems are widely used for networked industrial automation equipment. Unfortunately, these industrial Windows applications, like their counterparts in office networks, are also vulnerable to known and new Windows security loopholes that are continually being discovered and exploited. While Microsoft generally provides five years of Mainstream Support and five years of Extended Support for its Operating Systems, during which time Security Updates are released, the lifetime of industrial machinery and other capital equipment is often 20 or more years of useful operation. The much shorter lifecycle of software suggests that it will usually not survive as long as the equipment it serves.
What Should be Done?
Proceeding with “business as usual” while keeping both eyes firmly shut is not a recommended course of action. Worms, viruses, Trojans, and hacker exploits are problems not to be ignored. The widespread popularity of Microsoft operating systems has made them an all too appealing target for malware creators.
In 2008, Microsoft issued 36 Security Updates relevant for Windows 2000, including 19 classified as “Critical,” the highest classification. Another 16 Security Updates were classified as “Important.” Then in 2009, Microsoft released 48 Security Updates for the nine year-old system, 31 of them “Critical” and again 16 “Important.” In fact, in every month of 2009, at least one additional breed of malware had to be dealt with by a new version of the Microsoft Windows Malicious Software Removal Tool distributed with the other monthly system updates. These vulnerabilities allow malicious users to view and copy sensitive data, crash a PC or even gain control of it remotely. The notorious
Conficker worm proved to be a particularly troublesome issue, infecting and re-infecting nearly 20 million PCs worldwide. There are still approximately 5 million PCs infected with Conficker and under hacker control. Also, the dangerous and versatile Trojans Waledac and the Bredolab downloader ushered in a plethora of evil malware and
spyware from servers hosted mostly in Russia and China. With the expiration of support for Windows 2000, this means the end of available and automated security updates against these kinds of threats, as well as the end of the Malicious Software Removal tool that Microsoft was providing on a monthly basis for eradicating these malware installations.
Expensive Upgrades
An obvious solution, of course, is the upgrade to a newer operating system with current support, now and for the near future. But upgrades are costly, time- and effort-intensive, and risky. New licenses need to be purchased, and new software installed. And as new versions of Windows tend to be ever more hungry for resources, they often require
the acquisition of new hardware and infrastructure as well. That is when the dreaded “unanticipated consequences” begin to occur, involving considerable extra work and expense.
Certified systems and automated manufacturing processes typically require reiteration of an expensive approval process when altering any of their components. As a result of production complications greater than those in the office environment, significant upgrade expenses can quickly accumulate. And who wants the responsibility of triggering that cost avalanche when it is very difficult to calculate the potential security risks and the risks of unforeseen glitches that can affect production? Common sense and demonstrated logic often dictate “if it ain’t broke, don’t fix it.”
Protection by Retrofitting Distributed Security Appliances
What virtually all software security risks share in common is that they are based on the weaknesses and vulnerabilities of network protocols and services. Hacker exploits and malware use these weaknesses over a network to gain access to data, system control, and opportunities for damage and proliferation. If security updates against newly discovered
vulnerabilities are no longer available, there is an increased risk to the unsupported system, which must continue to communicate with other network nodes, and often with portions of the outside world (engineering and programming consultants, remote maintenance services, etc.). The days of a truly isolated production network are rapidly
disappearing. But while it’s impossible to eliminate vital system interconnections, most other types of potential network communication can be blocked or restricted as a means to reduce the risk of infections.
It is the purpose of firewalls to control and selectively filter Ethernet and IP-based communications on the network. In addition to front office firewalls, there are industrial network security appliances that provide “defense-in depth” on the factory floor. Defense in depth is a concept of using multiple and diverse layers of protection to better safeguard
the network. This method of protection is better, faster, cost-effective and easily installed by technicians rather than network administrators. Hardware options come in many variants, including DIN rail mounting, 19” rack mounting in cabinets, USB-powered dongle style, and PCI cards. An example is the family of award-winning mGuard products from Innominate Security Technologies and Phoenix Contact.
As a result of a patented “Stealth Mode,” these products are completely transparent, by default automatically assuming the MAC and IP address of the equipment to which they are connected, so that no additional addresses are required for the management of the network devices. No changes need to be made to the network configuration of the existing systems involved, no special software is required and no administration privileges are needed. Yet the devices operate invisibly and transparently, monitoring and filtering traffic to the protected systems by providing a Stateful Packet Firewall according to rules configured on the local device or via templates from a centrally located server. Selecting a security device with bi-directional “wire speed” capability will not add any perceptible bottlenecks to a 100 Mb/s Ethernet network.
If required, additional features can further enhance the security of networked equipment. Configuration of specific user firewall rules can restrict the type and duration of access for authorized individuals, who may login and authenticate themselves from varying locations, PCs, and IP addresses. Virtual Private Network (VPN) functions provide for secure authentication of remote stations and the encryption of data traffic. This allows for safe and secure access to remotely located equipment. Other benefits of the mGuard include, for example, its unique CIFS Integrity Monitoring functionality which protects Windows file systems against unexpected modifications, of executable code by malware.
Common Internet File System / Server Message Blocks (CIFS/SMB) are the protocols behind Windows file sharing. Using these features, customers in a variety of industries have already had excellent results providing security for older production systems using Windows 95, Windows 98 and Windows NT.
Never Touch a Running System: Security for Non-patchable Equipment
There is always a substantial concern that a reckless, blanket implementation of software patches and security updates will inadvertently affect the operation, stability and quality of production, without extensive (and expensive) certification tests prior to implementation. Thus “never touch a running system” is the dominant principle in
production. The costs of certification and risks of warranty claims against machinery and equipment suppliers are such that many embedded PC systems are operated without software patches and security updates. So they are treated as non-patchable, long before the end of their Extended Support. Again, the benefits of drop-in protection, requiring no
modifications to the protected devices, are evident.
All of these non-patchable systems can also be provided with enhanced security by the same method of retrofitting Stealth Mode security appliances to them, as described in the sections above.
Conclusion
The clock is ticking. As of July 2010, untold numbers of Windows 2000 systems will no longer have access to Extended Support and Security Updates. Nor may there be adequate time for analysis and evaluation of alternatives, decision making, planning, preparation and implementation of a new operating system. The right time to act is now. Proven “defense-in-depth” security products such as the FL mGuard, will provide drop-in protection for industrial networks.
References:
Microsoft Support Lifecycle
http://support.microsoft.com/lifecycle/
Microsoft Security Bulletin Search
http://www.microsoft.com/technet/security/current.aspx
The Microsoft Windows Malicious Software Removal Tool
https://support.microsoft.com/en-us/topic/remove-specific-prevalent-malware-with-windows-malicious-software-removal-tool-kb890830-ba51b71f-39cd-cdec-73eb-61979b0661e0
Torsten Rössel is the Director of Business Development for Innominate Security Technologies AG in Berlin. He is a frequent speaker at industry conferences, and author of numerous articles on the protection of networked industrial systems and secured remote services for machinery over the Internet. He is available at: [email protected]
