How Will Windows XP End of Support Impact Your Embedded Systems?

With Microsoft’s announcement of the end of life of Windows XP on April 8, 2014, various embedded systems may be at risk. Leaving these systems unpatched and unprotected not only poses a risk to your business, but also may impact security posture, and your organization’s ability to meet compliance requirements including Payment Card Industry (PCI) and HIPAA.

What exactly is Windows XP end-of-life?
The longtime operating system from Microsoft is no longer going to be supported as of April 8. The biggest thing that means is that Microsoft no longer will issue security updates for vulnerabilities in XP. And that's a huge deal when one considers that an estimated one quarter to one third of the world's desktops run XP.
For organizations slow or unwilling to migrate to a newer platform, what are some best practices?
For starters, they should conduct a risk assessment of their environment to determine where XP is running. That will allow them to drill down on XP devices and apply specific security controls to them. If the deployment of XP is much more widespread than anticipated, organizations should consider bulking up their overall network security, including deploying advanced anti-malware, intrusion detection and prevention and network monitoring. And of course, obvious best practices like limiting privileges and ensuring all workstations are running the latest web browser version are critical.

I've been hearing that the support cutoff could have a big impact on XP-based embedded systems, like point-of-sale systems that handle credit card swipes. Is this true?
While Microsoft is maintaining support for Windows XP Embedded through 2016, support expires for the widely deployed Windows XP Professional for Embedded Systems - which is identical to Windows XP - on April 8. Given that news, retailers using POS systems should be aware of the risk following that date, especially given the alarming trend of POS malware incidents affecting retailers.

Most businesses are probably aware that they are running XP on their desktops - and that the end-of-life deadline is quickly approaching. But not sure the same applies to many merchants running XP on their POS systems. Many don't even realize it. It's worrying.

Can I be out of compliance if I'm running XP on my POS systems?
As this article states, running XP on POS systems will violate PCI DSS 6.2, which requires retailers to install the latest security patches. We estimate that at least 30 percent of POS systems out there are running XP - and the sad fact is many merchants don't even realize it for any number of reasons, mostly due to simple unawareness.

If organizations have a compelling business case to maintain XP-based POS systems, then compensating controls - such as web application firewalls, whitelisting, IDS/IPS and patch support - can help them maintain compliance. Of course, the best option is to upgrade POS systems to Windows Embedded.