I was visiting an industrial firm this week and had a chance to walk around their shop floor to see their equipment. It was a mix of high and low tech, machines that cost several thousands of dollars sitting alongside some very primitive pieces of hardware. Unfortunately, these primitive things were PCs running Windows XP.
Now, I have a fond spot in my being for XP. Just playing that startup sound sends chills up my spine (well, almost). I spent a lot of time running it for various tests that I got paid to do back in the day when IT pubs paid for that sort of thing. I had a stack of VMs running various situations, along with a couple of real PCs that had different versions of XP that I maintained for years. It was only with some reluctance that I eventually gave them up. Since then I have rarely run any XP on anything, because it has been superseded by several newer (and supported) versions of Windows. It appears I am not alone: XP is still around: according to this report, it can be found on 3% of total PCs on consumer desktops, and I am sure that number doesn’t include those in industrial and embedded environments such as I witnessed this week. BTW, Microsoft ended support for XP five years ago, although earlier this year it did create a patch to fix the Bluekeep flaw for XP.
The XP PCs that I saw were used by the firm to control some of their pricey industrial machines. I have no idea the network infrastructure at this shop, nor how much protection was put in place to continue to use XP in their environment. But it almost doesn’t matter: if you have XP, you are basically hanging a sign outside your virtual door that says, “come on in and hack me.” It is just a matter of time before some bad actor finds and exploits these PCs. It is like leaving a jar of honey out. This post written to help consumers use XP more safely recommends, “stop using IE or go offline.” That is harder to do than you might think.
Most likely, replacing this equipment with a more modern version of Windows isn’t all that simple. The machinery has to be tested, and probably has code that needs to be rewritten to work on the newer Windows. And you will say, that is the entire point, and you would be right. But the firm isn’t going to stop using XP, because then they would be out of business. So they are in between a rock and a hard place, to be sure.
So here is a simple security test that you can try out in your business. How many endpoints do you have that are still running XP? Just take a census, using whatever automated tool you might have. Now walk around and see if you can find a few others that are hidden inside industrial equipment, or a printer server, or some other likely location. Do you have the right network isolation and protections in place? Can you do without an internet connection to these PCs? Why did your automated scanners fail to identify these devices? Can you get rid of them completely, or is the vendor still insisting on using XP for their equipment? I think you will be surprised, and not in a good way, what the answers are.
And for those of you that are running XP at home, do yourself a favor and take a trip this weekend to MicroCenter (or whatever is your local computer store) and buy yourself a new computer, and dispose of your old one (after first removing your hard drive). And if needed, conduct an appropriate memorial service to bid this OS a fond farewell.