Andrew Bond, Industrial Automation Insider
Microsoft Extended Support and Security Updates for Windows 2000 expire this coming July (2010). That will only be of passing historical interest to the IT, business and home computing world, which has probably lost count of the number of Windows releases it has enjoyed or been subjected to in the past decade, but as Torsten Rössel, director of Business Development with Phoenix Contact cyber security subsidiary Innominate points out, for industrial users, who may well have large numbers of systems still running under the venerable operating system, the end of this particular era poses a significant challenge.
In fact, says Rössel, Microsoft has stuck with Windows 2000 a good deal longer than with some of its earlier offerings. The life-cycle policy for business and developer products currently provides for five years of mainstream support, which ended in 2005 and a further five of extended spport up to this coming July, with security updates available for the full 10 years. By contrast, support for Windows 95 expired in December 2001, while that for Windows NT 4.0 lasted eight years to June 2004, as did that for Windows 98 which ended in July 2006.
And don’t get the idea that the need for security updates has diminished with time. Microsoft issued a total of 36 of relevance to Windows 2000 in 2008 of which it classified 19 as being in the highest "Critical" category and 16 as "Important," while the 2009 total was actually higher at 48 of which no less than 31 were Critical and a further 16 Important. Moreover, according to Rössel, at least one additional breed of malware appeared in each month of 2009 and required a new version of the Windows Malicious Software Removal Tool which comes with the other monthly system updates. Among the malefactors were the Conficker worm and the Waledac and Bredolab Trojans which laid unprotected systems open to a plethora of malware and spyware hosted on servers mainly in Russia and China. Clearly, with the expiration of Extended Support, Windows 2000 systems will be wide open to future threats.
In the IT world the obvious solution would be to upgrade to the new operating system as a matter of course. Upgrades in the industrial world, however, often have unintended consequences. Not only are new licenses costly, but also new versions of Windows often require new hardware and infrastructure. Most important, particularly in areas such as pharmaceuticals and food and beverage, new or upgraded systems will require approval by the appropriate regulatory authority.
One possible alternative to upgrading might be to isolate Windows 2000-based systems entirely from the external environment but, as Rössel explained, this is now almost impossible. Systems will almost certainly need to communicate with other nodes on IP-based networks and with the outside world. Effective isolation can, however, be achieved through a "defence in depth" approach based on industrial firewalls such as Innominate’s own mGuard offerings. Using "Stealth Mode" technology, these devices are completely transparent and automatically assume the MAC and IP address of the equipment to which they are connected, eliminating the need for additional addresses or for changes to the existing network configuration and providing protection in accordance with centrally configured rules.
Nor is such an approach confined to the protection of Windows 2000-based systems approaching the end of formal support. mGuard has also been used to protect Windows 95, Windows 98 and Windows NT systems in the automotive industry and elsewhere, as well as to protect systems based on more recent versions which, while still covered by Extended Support, are regarded by their users as "non-patchable" because of the risk of patches leading to unforeseen consequences or requiring resubmission of the solution for regulatory approval.