Should we laugh or cry? Government pays Microsoft £5.5m to extend Windows XP support
Join Date: Jun 2009
Location: Canada
Posts: 464
Likes: 0
Received 0 Likes
on
0 Posts
So XP is still beating Windows 8 .
And, don't forget, there are a ton of XP machines around doing stuff but not connected to the Internet, and certainly not used for web browsing where they might show up in some OS tracking analytics. I was using one at work yesterday that just runs a GUI connected so a few million dollars of specialized hardware, and there's another one running some test equipment for which there are no drivers for later versions of Windows.
And, don't forget, there are a ton of XP machines around doing stuff but not connected to the Internet, and certainly not used for web browsing where they might show up in some OS tracking analytics. I was using one at work yesterday that just runs a GUI connected so a few million dollars of specialized hardware, and there's another one running some test equipment for which there are no drivers for later versions of Windows.
Chief Tardis Technician
Join Date: Jan 2001
Location: Western Australia S31.715 E115.737
Age: 71
Posts: 554
Likes: 0
Received 0 Likes
on
0 Posts
one running some test equipment for which there are no drivers for later versions of Windows.
I work in the pharmaceutical industry. One of the most important and possibly expensive regulatory activities we perform on our control systems is extensive software qualification/ validation.
Bearing in mind that most of our control systems are on closed networks (no internet connection) changing operating systems not only means complete local re-validation, but also involves the supplier often having to write bespoke software to make their applications run on a different OS. It is exceptionally time consuming and doesn't even guarantee everything will work correctly afterwards. During this effort, our plant may also not be available for drug production.
It's not a particularly good place to be, with obsolete OS and software, but the relatively quick pace at which IT stuff is obsolete effectively means we would spend a significant amount of our time not producing life saving drugs. Stuck between a rock and a hard place.
Bearing in mind that most of our control systems are on closed networks (no internet connection) changing operating systems not only means complete local re-validation, but also involves the supplier often having to write bespoke software to make their applications run on a different OS. It is exceptionally time consuming and doesn't even guarantee everything will work correctly afterwards. During this effort, our plant may also not be available for drug production.
It's not a particularly good place to be, with obsolete OS and software, but the relatively quick pace at which IT stuff is obsolete effectively means we would spend a significant amount of our time not producing life saving drugs. Stuck between a rock and a hard place.
Blues, sorry but no. Your organisation has known since before the system was purchased that WinXP had an expiry date. You've deliberately based your critical infrastructure on a system that will need to be routinely upgraded if it has any network connectivity to anything with an active USB port or an Internet connection (Iranian centrifuges, Stuxnet and SCADA anybody?).
The fact is you've chosen to ignore it due entirely to cost. All because whoever made the original purchasing decision was an idiot.
The fact is you've chosen to ignore it due entirely to cost. All because whoever made the original purchasing decision was an idiot.
Well, I would agree with some of what you say, but any control system utilising PCs or not will be obsolete at some point.
If we didn't buy a computerised control system because the components will be obsolete in the future, we wouldn't be able to buy anything.
The project manager(s) at the time buying the latest available system doesn't make them idiots, as far as I can tell.
(I haven't been responsible for buying any of our systems, in case you were wondering).
Anything we use to make our products requires revalidation if 'upgraded', from standalone weighing scales to full blown SCADA systems.
Like I said not ideal, but realistically the organisation cannot justify the downtime and huge expense - and the frequency. I'd love it if they could.
None of our control systems have internet connectivity. We are not permitted to use USB sticks.
If we didn't buy a computerised control system because the components will be obsolete in the future, we wouldn't be able to buy anything.
The project manager(s) at the time buying the latest available system doesn't make them idiots, as far as I can tell.
(I haven't been responsible for buying any of our systems, in case you were wondering).
Anything we use to make our products requires revalidation if 'upgraded', from standalone weighing scales to full blown SCADA systems.
Like I said not ideal, but realistically the organisation cannot justify the downtime and huge expense - and the frequency. I'd love it if they could.
None of our control systems have internet connectivity. We are not permitted to use USB sticks.
Join Date: Apr 2010
Location: London
Posts: 7,072
Likes: 0
Received 0 Likes
on
0 Posts
Lady Harry was involved with a major IT operation a few years back for a very very large organisation
Every time they tried to move things they discovered another set of old software cheerfully doing it's job and totally undocumented by the IT guys. I think the record was some 1962 stuff. Some of it had a UNIX/Windows front end bolted on but that was purely for look and feel
It was so much part of the users day to day they'd effective forgotten about it - it was like the light switches - always had been there, always worked, never failed.
Oh, and of course it was lightning fast on modern machines..............
Every time they tried to move things they discovered another set of old software cheerfully doing it's job and totally undocumented by the IT guys. I think the record was some 1962 stuff. Some of it had a UNIX/Windows front end bolted on but that was purely for look and feel
It was so much part of the users day to day they'd effective forgotten about it - it was like the light switches - always had been there, always worked, never failed.
Oh, and of course it was lightning fast on modern machines..............
Blues, while none of the control systems may have a direct Internet connection, what about the computers you access the control system computers with? I very much doubt it's air-gapped.
Your organisation has still purchased a system that is too tightly bound to the OS being used and they aren't prepared to keep it updated due to expense. How can that be a smart purchase?
Your organisation has still purchased a system that is too tightly bound to the OS being used and they aren't prepared to keep it updated due to expense. How can that be a smart purchase?
I strongly suspect that they very much ARE air-gapped. That's one of the most cost-effective approaches to a viable IA Case in very-high-integrity systems. If it weren't for one thing* I could name you well over a dozen UK state/military systems which run in an air-gapped environment for just this reason. These systems are not connected to external systems, ever, except by a form of data-diode for status indication. If you want to use/maintain/update them you must physically touch the actual systems.
PDR
* The "one thing" being that as you would expect for these kinds of systems one is not actually allowed to name or discuss them!
PDR
* The "one thing" being that as you would expect for these kinds of systems one is not actually allowed to name or discuss them!
Air gapped, yes. And on some of the systems only specific company machines are allowed at a network level to connect, which belong to my department.
Expense is, unfortunately, a parameter which is very much an issue for any business...and something over which I have no sway.
Hmm. Banner ads for "GAP" are now appearing on my device....
Expense is, unfortunately, a parameter which is very much an issue for any business...and something over which I have no sway.
Hmm. Banner ads for "GAP" are now appearing on my device....
Plastic PPRuNer
Air-gapping Windows is secure enough if you have filled all your USB ports with epoxy and use PS/2 ports for your mouse and keyboard . . .
One of the problems is the huge amount of software out there that depends on .NET 2.0 (yes, I know that 3.5 supports it, but it a PITA to get Windows to install it - IOD my ass).
Another is all the not so old hardware around that only speaks CIFS/SMB1 and you have to install chatty old CIFS.
So long as there is physical access to the machine (which includes you using it and plugging in a USB drive with stuff you brought home from work) there is no absolute security.
And the more you secure a machine the harder it is to use as a normal PC.
That said, it is possible to secure Windows tighter 'n a mouses ear'ole, but it requires an intimate knowledge of Windows internals and far too much time for me.
Best assurance is lots of tested backups (I've ditched MS' useless product and gone over to Macrium - much better) and a tested clean system image tucked away somewhere.
There isn't much you can do about the cut-down MINIX os embedded in most modern mobos though - just pray.
Mac
One of the problems is the huge amount of software out there that depends on .NET 2.0 (yes, I know that 3.5 supports it, but it a PITA to get Windows to install it - IOD my ass).
Another is all the not so old hardware around that only speaks CIFS/SMB1 and you have to install chatty old CIFS.
So long as there is physical access to the machine (which includes you using it and plugging in a USB drive with stuff you brought home from work) there is no absolute security.
And the more you secure a machine the harder it is to use as a normal PC.
That said, it is possible to secure Windows tighter 'n a mouses ear'ole, but it requires an intimate knowledge of Windows internals and far too much time for me.
Best assurance is lots of tested backups (I've ditched MS' useless product and gone over to Macrium - much better) and a tested clean system image tucked away somewhere.
There isn't much you can do about the cut-down MINIX os embedded in most modern mobos though - just pray.
Mac
I suspect in B&T's case they may not do the prosecution stuff, but the idea of plugging your own USB device into a PC hosting a medically-critical system is probably a complete no-no in his place.
And the more you secure a machine the harder it is to use as a normal PC.
And of course neither of these is actually a deliverable machine doing the actual work. The deliverable machines have specific software configs, no general applications and a configuration that's so locked down you couldn't even change the desktop image without causing an exception.
That's what IA cases are all about.
PDR
Yes, PDR1, maybe not quite as tightly controlled as all your examples, but not far off.
Even as programmers/admins we struggle to get onto some of our machines. USB sticks/drives would certainly lead to an unfriendly chat with HR. Our controls machines are locked down, run only the controls applications and are not capable of being used to do 'normal' desktop work.
Even as programmers/admins we struggle to get onto some of our machines. USB sticks/drives would certainly lead to an unfriendly chat with HR. Our controls machines are locked down, run only the controls applications and are not capable of being used to do 'normal' desktop work.
Last edited by Blues&twos; 1st Jan 2018 at 22:35.
Spoon PPRuNerist & Mad Inistrator
In this case, the 2 things most likely to force an upgrade - and the expensive re-validation - would be the supplier of the control software ceasing support for the version of their product running on Windows XP, and failure of the existing PC hardware, as it is unlikely that XP drivers for new replacement hardware will be available.
I'm sure that the "powers that be" will have considered and mitigated the risks noted above, and presumably in the company's annual budget there's an amount set aside every year for the eventual and inevitable upgrade - just like an engine fund.
But given the isolation, there's no reason that XP can't go chuntering along happily for as long as the hardware and software holds out.
SD
I'm sure that the "powers that be" will have considered and mitigated the risks noted above, and presumably in the company's annual budget there's an amount set aside every year for the eventual and inevitable upgrade - just like an engine fund.
But given the isolation, there's no reason that XP can't go chuntering along happily for as long as the hardware and software holds out.
SD