48,000 Windows XP PCs are still running at TEPCO … which are the risks?

Which is the impact of the Windows XP End of Life on the critical infrastructure? Recently a Government audit found 48,000 XP PCs still running at TEPCO.

One year ago the end of life for Microsoft Windows XP raised a heated debate on security for all the infrastructure that still adopts the popular OS. Windows XP was widely adopted in critical environments, Supervisory (computer) systems, Programmable logic controllers and Human–machine interface applications are still based on XP systems, and starting from April 8th 2014 they don’t receive security updates.

Consequences of Windows XP end of life can be serious if critical infrastructure owners took no actions, the number of cyber attacks is continuously increasing serious repercussions on the ability of organizations to comply with security standards.

Organizing an attack against a critical infrastructure could be dramatically easier for skilled hackers, the Open Internet and the underground provide all the necessary tools and services to target system based on the dismissed Windows XP.

Clamorous the case of The Tokyo Electric Power Company (TEPCO), operator of the Stricken Fukushima Daiichi nuclear energy plant that announced a massive migration of 48,000 Windows XP machine to a newer OS.

TEPCO was recently audited by a Japanese organization, the Japan Board of Audit, which oversees the finances of Japan’s government and government agencies. The Board of Audit is interested in TEPCO because Japan is keen to see the company pay for

The Board of Audit inspected the TEPCO company following the Fukushima disaster and the request of the authorities to reclaim the area.

The audit was conducted in March with the intent to analyze the operations at TEPCO and support the company to pay the fee decided by the authorities. The Japan Board of Audit discovered that nearly 48,000 PCs running Windows XP at TEPCO were exposed online and were not upgraded for cost reduction. The circumstance if is we consider the possible repercussion on the security of the company. Upgrades may even have been deferred to 2019, according to

Upgrades may even have been postponed to 2019, according to an official statement released by the TEPCO company. The Board of Audit evaluated the priority established by TEPCO considering the risk of exposure to cyber attacks and decided that the XP machine must be considered an urgent issue to solve.


“Upgrading the operating system must be done as swiftly as possible, and the firm must not push it back, given the security risks,” reported the Board of Audit.

Let consider that the National Institute of Information and Communications Technology revealed that more than 25 billion cyber attacks hit  systems in Japan during 2014.

“The company decided, on its own initiative, to move up the deadline to update the software due to system security concerns,” said a Tepco spokesman according to The the Japan Times.

The decision of the Board is flawless if we consider that energy companies are always under attack and that possible consequence could be disastrous as happened to Saudi Aramco where a computer virus infected nearly 30,000 work stations.

If you are interested on the risks related to adoption of XP systems in critical infrastructure after the end of life give a look to a presentation I made last year on the topic at the Security Summit.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase