Windows XP – Closed source software that puts nuclear plants at risk

UK nuclear power station
Whilst we are used to hearing about computer viruses and I am aware of many people’s Windows computers that have been rendered practically useless due to adware / spyware installed from clicking on random (until the computer was wiped and the operating system reinstalled). It is one thing to have the inconvenience of having to reinstall the operating system on a home PC, but it’s another thing all together when that computer is running the critical systems for a nuclear power station.

This article highlights the threat based on a virus written specifically to target nuclear power stations – Stuxnet: UK and US nuclear plants at risk as malware spreads outside Russia
. Whilst the risk of a virus (or in the case of Stuxnet a worm) infecting a nuclear power plant is frightening, this is a even bigger concerns as the systems running Windows XP will not be getting the security updates that are being created at the moment. Microsoft will stop providing security updates from April 2014, so vulnerabilities found after that date will not be fixed through the security update process. Whilst it may still be possible to purchase support from Microsoft as I understand it they will not proactively create fixes based on security risks [1].

As the typical lifespan of a power station is 20 to 30 years [2] this means that if running a Microsoft operating system they will need to upgrade to a completely new computer control system once or twice over the life of the power station, to continue to receive Microsoft software updates. As the process of migrating to a new system comes with such a high risk it appears that instead they continue to run using operating systems that are out of support.

There is an alternative, but not using proprietary closed source software. If the source code was available to the operating system then the company that supports the software for the rest of the systems could continue to support the operating system as well. This doesn’t necessarily need to be free or open source software, but it should not be software for which the source code is not available to the support company. Furthermore if it is free, open source software then they would be able to take advantage of the research and fixes provided by the rest of the community which would need less effort than supporting an entire operating system themselves.

There are other advantages to using open source software as well. Whilst it is still possible to get viruses for Linux and other free operating systems the security built into the operating system makes it harder for viruses to infect and propagate across the machines. Whilst the added security in Windows XP and later should have made this less likely for Windows as well in reality most people still run Windows systems as an administrator, whereas most users of Linux would only use administrator (root) privileges when required minimising the opportunity for a virus or worm to get the required privileges.

Personally I would feel much safer if nuclear power plants were running a supported open source operating system (supported by either an operating system company or by another software company) than I am with them running on an out-of-date closed source operating system with limited (if any) support for security fixes.