So XP is still beating Windows 8 :).

And, don't forget, there are a ton of XP machines around doing stuff but not connected to the Internet, and certainly not used for web browsing where they might show up in some OS tracking analytics. I was using one at work yesterday that just runs a GUI connected so a few million dollars of specialized hardware, and there's another one running some test equipment for which there are no drivers for later versions of Windows.

Therein, lies a big problem. There are many computers running custom or proprietary soft ware that hasnt been upgraded to run on newer versions of Windows. If the software has been upgraded,it is ridiculously expensive and wont import the data from older versions.

If that's the case cut the network cable, pull out the wireless card and buy yourself a new computer to use on-line.

I work in the pharmaceutical industry. One of the most important and possibly expensive regulatory activities we perform on our control systems is extensive software qualification/ validation.
Bearing in mind that most of our control systems are on closed networks (no internet connection) changing operating systems not only means complete local re-validation, but also involves the supplier often having to write bespoke software to make their applications run on a different OS. It is exceptionally time consuming and doesn't even guarantee everything will work correctly afterwards. During this effort, our plant may also not be available for drug production.
It's not a particularly good place to be, with obsolete OS and software, but the relatively quick pace at which IT stuff is obsolete effectively means we would spend a significant amount of our time not producing life saving drugs. Stuck between a rock and a hard place.

Seems, in hindsight, that the government got things right. Was it 8 or Vista that was being introduced at the time ?

Blues, sorry but no. Your organisation has known since before the system was purchased that WinXP had an expiry date. You've deliberately based your critical infrastructure on a system that will need to be routinely upgraded if it has any network connectivity to anything with an active USB port or an Internet connection (Iranian centrifuges, Stuxnet and SCADA anybody?).

The fact is you've chosen to ignore it due entirely to cost. All because whoever made the original purchasing decision was an idiot.

Well, I would agree with some of what you say, but any control system utilising PCs or not will be obsolete at some point.
If we didn't buy a computerised control system because the components will be obsolete in the future, we wouldn't be able to buy anything.
The project manager(s) at the time buying the latest available system doesn't make them idiots, as far as I can tell.
(I haven't been responsible for buying any of our systems, in case you were wondering).

Anything we use to make our products requires revalidation if 'upgraded', from standalone weighing scales to full blown SCADA systems.
Like I said not ideal, but realistically the organisation cannot justify the downtime and huge expense - and the frequency. I'd love it if they could.
None of our control systems have internet connectivity. We are not permitted to use USB sticks.

Lady Harry was involved with a major IT operation a few years back for a very very large organisation

Every time they tried to move things they discovered another set of old software cheerfully doing it's job and totally undocumented by the IT guys. I think the record was some 1962 stuff. Some of it had a UNIX/Windows front end bolted on but that was purely for look and feel

It was so much part of the users day to day they'd effective forgotten about it - it was like the light switches - always had been there, always worked, never failed.

Oh, and of course it was lightning fast on modern machines..............

Blues, while none of the control systems may have a direct Internet connection, what about the computers you access the control system computers with? I very much doubt it's air-gapped.

Your organisation has still purchased a system that is too tightly bound to the OS being used and they aren't prepared to keep it updated due to expense. How can that be a smart purchase?

I strongly suspect that they very much ARE air-gapped. That's one of the most cost-effective approaches to a viable IA Case in very-high-integrity systems. If it weren't for one thing* I could name you well over a dozen UK state/military systems which run in an air-gapped environment for just this reason. These systems are not connected to external systems, ever, except by a form of data-diode for status indication. If you want to use/maintain/update them you must physically touch the actual systems.

PDR

* The "one thing" being that as you would expect for these kinds of systems one is not actually allowed to name or discuss them!

Air gapped, yes. And on some of the systems only specific company machines are allowed at a network level to connect, which belong to my department.
Expense is, unfortunately, a parameter which is very much an issue for any business...and something over which I have no sway.

Hmm. Banner ads for "GAP" are now appearing on my device....

Air-gapping Windows is secure enough if you have filled all your USB ports with epoxy and use PS/2 ports for your mouse and keyboard . . .

One of the problems is the huge amount of software out there that depends on .NET 2.0 (yes, I know that 3.5 supports it, but it a PITA to get Windows to install it - IOD my ass).

Another is all the not so old hardware around that only speaks CIFS/SMB1 and you have to install chatty old CIFS.

So long as there is physical access to the machine (which includes you using it and plugging in a USB drive with stuff you brought home from work) there is no absolute security.

And the more you secure a machine the harder it is to use as a normal PC.

That said, it is possible to secure Windows tighter 'n a mouses ear'ole, but it requires an intimate knowledge of Windows internals and far too much time for me.

Best assurance is lots of tested backups (I've ditched MS' useless product and gone over to Macrium - much better) and a tested clean system image tucked away somewhere.

There isn't much you can do about the cut-down MINIX os embedded in most modern mobos though - just pray.

Mac

:8

This is where I think the misunderstanding lies. I can't speak for B&T, but in the sort of application I was describing "plugging in a USB drive with stuff you brought home from work" would certainly get you escorted from the room and summarily sacked and would probably see you arrested pending prosecution and the prospect of many years in jail.

I suspect in B&T's case they may not do the prosecution stuff, but the idea of plugging your own USB device into a PC hosting a medically-critical system is probably a complete no-no in his place.

Who cares, because you wouldn't be allowed to anyway. Again I'm guessing about B&T's machines, but in high-integrity systems in our place you just don't use the dedicated machines for "normal PC work". In my case I have two PCs on my desks at work - I have a laptop which is plugged into the lower-classification network for normal email, project management, expenses, word processing and spreadsheets, internet research etc. This machine can read USB devices if they are registered to the network and encrypted (using a secure volume browser which is only available on that network). The second machine is for secure project work and is a locked-down one on the "higher classification" network. This network is air-gapped to the rest of the world, and is very picky about what it will talk to. If you plug anything into that cable that it doesn't recognise the router disables the port. If you try to plug anything other than a specific type of keyboard & mouse into the USB ports the PC shuts down and won't restart until its hard drive is replaced with an unlocked one.

And of course neither of these is actually a deliverable machine doing the actual work. The deliverable machines have specific software configs, no general applications and a configuration that's so locked down you couldn't even change the desktop image without causing an exception.

That's what IA cases are all about.

PDR

Yes, PDR1, maybe not quite as tightly controlled as all your examples, but not far off.
Even as programmers/admins we struggle to get onto some of our machines. USB sticks/drives would certainly lead to an unfriendly chat with HR. Our controls machines are locked down, run only the controls applications and are not capable of being used to do 'normal' desktop work.

In this case, the 2 things most likely to force an upgrade - and the expensive re-validation - would be the supplier of the control software ceasing support for the version of their product running on Windows XP, and failure of the existing PC hardware, as it is unlikely that XP drivers for new replacement hardware will be available.

I'm sure that the "powers that be" will have considered and mitigated the risks noted above, and presumably in the company's annual budget there's an amount set aside every year for the eventual and inevitable upgrade - just like an engine fund.

But given the isolation, there's no reason that XP can't go chuntering along happily for as long as the hardware and software holds out.

SD