What is an Obsolete Operating System?

We all know what an operating system is! But when it is no longer needed due to various reasons like business needs, competition, software changes, or the release of a new software version, the former version turns obsolete, and the updates will no longer be issued by the vendor including updates related to cybersecurity which creates a security risk. This applies to many industries, from Healthcare to, automobile to shipping industries. Technically operating systems do not really need to be obsolete, but from a marketing perspective, Yes! Because the customers always want the latest technology.

Let us take a marine industry example- A navigation software used by the marine pilots may be improved with significantly enhanced features leading to the release of a new software version and hence replaces the older version.

One of the reasons for companies to upgrade the OS is due to fear. There is an ideology that, the older copy of software is more prone to attacks, and this holds true for most cases as thieves and hackers have learned how to break the boundaries.

Old unpatched OS is always at cybersecurity risk. Any company that provides the software service must make sure to regularly fix the bugs, which otherwise would wreck the software, and the cost of the incident would be higher than the cost of upgrading.

Risks associated with obsolete operating system in Marine Technology.

Unsupported software is a hacker’s best friend and risk comes in numerous structures. An obsolete Operating system with regularly realized weaknesses might be the most serious issue for PC clients, however obsolete applications likewise compromise your own data.

Unmaintained system-. An unmaintained operating system can be sparked by the ship’s crew either unintentionally or maliciously hence exposing to more vulnerabilities, and the malicious hackers are well equipped to exploit them.

According to the BIMCO survey [1], the most vulnerable systems onboard ships are positioning systems (GPS, AIS, Radar), ECDIS, engine control, and monitoring.

ECDIS can be compromised to modify files and insert malicious content. An ECDIS compromise can take over the whole INS or display the vessel in a false position. A cyberattack can mislead a ship as, for example, in 2016 when two naval ships were misdirected in the Persian Gulf. Another example happened in February 2017. Cybercriminals reportedly took control of the navigation systems of a German-owned 8250 TEU container vessel. The crew attempted to regain control and had to bring IT experts on board to solve the situation. The case serves as a “pre-warning” about hackers’ abilities to gain control over the vessels to carry out, for instance, kidnap and ransom. Another potential cyberspace vulnerability is the Voyage Data Recorder (VDR), from its connection to other ship systems that links to online services through satellite communications. However, the risks related to VDR weaknesses is, according to Kala, marginal, since VDRs do not directly control the movement of a vessel.

Mass Interruption– Millions of dollars can be lost with just an outdated operating system. Consider the NotPetya attacks of 2017 which caused more than $1,000,000,000 of damage to Maersk due to a flaw in an outdated version of Microsoft windows.

No Security Patches– This is the biggest risk when running an unsupported operating system. Once the updates and security patches stop, it opens doors to hackers.

Risk of losing data security– With the availability of confidential and high-profile data in an organization, a breach can be very costly, and the organization could be legally liable for non-compliance.

Fraud– An organisation’s network can be crippled with prolific malware like Ransomware that spreads like wildfire. One of the examples is the worldwide May 2017 WannaCry attack, where more than 50% of the systems were using end-of-life Windows 7 software.

Preventive measures

1. Keeping the operating system up to date is the best method to keep away the vulnerabilities, hence avoiding system crashes and losing more money to fix than getting the update done.
2. Make sure to install security updates and patches once notified. Once the developer sends a notification that the current version will no longer be valid, make sure to transfer to the updated version once available.
3. Many organizations are moving their software function to cloud, and this will take charge to update the software automatically and your system will never become outdated.
4. Even if one component of the system goes obsolete, make sure to update and patch other components of the system. For example, continue to update the anti-malware and browsers even if the underlying operating system gets obsolete.
5. Mitigate away from compromise by beginning with short-term actions, by avoiding the deployment of obsolete software, upgrading the high-risk end-user devices and servers for remote access, that are more prone to network-based attacks.

Reference

IHS-BIMCO-Survey-Findings—Story in Numbers. Available online: https://cybersail.org/wp-content/ uploads/2017/02/IHS-BIMCO-Survey-Findings.pdf (accessed on 4 August 2020).

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/