No more life of Microsoft's Windows 7 operating software is nearly upon us, while using the company saying its updates and patches to the widely used interface will cease after January 14, 2020. Such circumstances, nearly everybody would think that critical plant control system operators should be in a mad scramble to upgrade to your latest version.

Yet astonishingly, key U.S. coal and oil infrastructure facilities use plant control systems underpinned by Or windows 7, an even earlier legacy operating software that Microsoft stopped providing patches and upgrades for funding 2014.

Your correspondent found 10 facilities, of varying throughput scale, in three U.S. Gulf Coast states including Texas still operating their plant control systems underpinned by outdated Microsoft operating software. Confidentiality and security clauses of site visits prevent mentioning the facilities directly, yet the issue is a serious and widespread concern stateside, depending on feedback from plant automation solutions providers similar to General Electric Automation and Controls, Emerson and Honeywell.

Aggregation of U.S. industry data suggests around a fourth of oil and gas downstream customers of one's world's big five plant automation vendors stateside continue being on Microsoft windows, despite the recent WannaCry virus ransomware attack, coupled with other high-profile cyber intrusions, that exposed the vulnerability of legacy software recently.

But what might shock the particular hardly may come as a surprise to industry insiders. Brendan Sheehan, Senior Director of promoting at Honeywell Process Solution, the multinational company's automation division, says upgrading dilemmas for conservative industries like for example petrochemicals and refining ordinarily are not new and revisit almost 40 years.

"That's when plant control systems started gradually migrating from proprietary software the vendors conjured up to largely MS Windows-underpinned operating software owing to cost savings. In short, refining and petrochemical plant operators will buy a control system from us and expect it to run 25 to 3 decades, and they will often ask us to be certain of supporting it for ones period as soon as we do.

"Before the turn of the 1990s, as soon as had proprietary software, such systems were secure and bespoke but admittedly reasonably dear. Then MS Windows platforms started bringing volume, scalability decrease costs, that are visible even today. We initially thought let's not let go for Linux, that's been more secure and attuned to industrial usage, and others robust than Windows NT right at that moment. But it wasn't so many things familiar to customers and users, so Windows won."

To be the refining complex, and of manufacturing actually, has moved towards MS Windows world, plant operators now feel on a platform that progresses so much more quickly than they would like.

The business has to accept upgrades much more, and vendors, whose plant control systems use MS Windows, have little choice but to acquiesce each and every upgrade, and press buyers to do likewise. That is all they are able to do.

"We are telling customers you should move; we cannot support you when you are on Windows XP. But you can't force the criminals to move. Zero cost consultation . you have instances of cybersecurity breaches, most of which don't get through to the public domain. By a few measures, Honeywell counts 30,000 intrusions or attempts at intrusions everyday. An outdated system makes protecting customers really hard, though possible," Sheehan says.

Gavin Mead, Principal in KPMG's Cybersecurity Services, also deems the findings to be really unsurprising, as upgrading a plant control system in a conservative publication rack not as simple as installing and rebooting your laptop or desktop. It carries major cost and downtime implications towards the refinery or petrochemical plant accessing.

"Unlike in the [administrative or back-office] IT environment, more often than not the plant IT hardware applied to an industrial setting is tightly plus the physical equipment it manages or monitors. Upgrading the IT components could require replacing of the entire module (i.e., IT equipment plus the physical components), and maybe even of the whole line, based mostly control system architecture.

"Furthermore, several of these legacy IT systems support 'disconnected assets,' meaning physical devices which do not communicate more than a network - to provide an example, very expensive mass spectrometers."

It creates massive challenges for operators, reliable willingness to upgrade seriously isn't lacking. Although not belittling the concerns over cyber attacks on plant control systems, Mead reckons their segregation from conventional IT for plant operations does offer some modicum of safety.

"These systems are known to have un-fixable vulnerabilities in most cases [that vendors can't help with and Microsoft won't provide upgrades for a longer], but as opposed to the conventional IT environment where everything is highly connected and users are getting together with unknown Internet services continually, the industrial environment must really be much more segregated, static and controlled, enabling a greater tolerance for aged IT systems."

Be that as it can, another issue Sheehan flags would be that bespoke apps written for specific customers raise further complexities. Being "bespoke," they are definitely designed solely for your personal operating system they really are written on. This will likely cause issues after the plant eventually attempts to upgrade the operating software, given that the apps might require changes too. Considerable time, including the setting up headline patches, requires careful planning.

"In fact, incorporating patching is the one other challenge altogether. We write patched software for purchasers and make it available as deemed necessary. But normally you want to be in a controlled environment when running those patches, terrible on a running plant, and of course not during something critical.

"And the issuance of patches happens to be more frequent. You are required to remain constantly attuned to updates and patches. For that reason the Human Machine Interface (HMI) had to be made separate from the control system, equip upgrades with out upgrade the particular control system - that is how in the end we handle some of the processes and challenges. But admittedly, for a HMI you really are susceptible to Microsoft."

Meanwhile, since the usage of Windows 7 is far from over despite repeated warnings on your industry, Honeywell, Yokogawa Electric, GE, ABB and Emerson possess the applicable acknowledged they may be well while alerting their end customers, both within and right after oil and gas sector, about get yourself ready for the end of use of Windows 7.

Quite simple pretty onerous exercise byby itself, as global research firm Gartner reckons Windows 7 is among one of Microsoft's hottest Windows operating software, well on the usage penetration of even Microsoft windows. All the vendors will do is alert end customers, but whether the plant controllers pay heed is a matter.

There is certainly no disputing that a breach found in a plant control system can have devastating consequences. Within a refining and petrochemical landscape, obvious reputational damage, downtime and financial costs aside, risks could extend to environmental damage, passing away, fail-safe shutdowns and system destruction. At some point soon, those on outdated systems truly ask themselves: Might it be really worth a possibility? Ignoring it could actually have devastating consequences.