Yes, there's malware. But don't change your SCADA password, advises Siemens

by Graham Cluley on July 20, 2010 | Leave a comment

Filed Under: Data loss, Malware, Podcast, Vulnerability

Power plant with password prompt
If you were in charge of some critical infrastructure (such as a power plant or manufacturing facility) and there was some malware which exploited a zero-day vulnerability in Windows which targeted your systems you might be pretty concerned, right?

In fact, if the malware (which we'll call Stuxnet) was programmed to know the default password used by the SCADA (Supervisory Control And Data Acquisition) systems which manage your critical operations you might want to seriously consider changing those default passwords, right? As a sensible precaution, yes?

Well, unfortunately, life is not that simple.

Although Siemens SCADA systems are being targeted by the Stuxnet malware (which, you will remember, exploits a zero-day Microsoft vulnerability in the way that Windows handles .LNK shortcuts, allowing malicious code to run when icons are displayed), the company is telling customers that they should not change their default passwords.

"We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," Siemens spokesman Michael Krampe told journalists.

That's in spite of the fact that the password used by Siemens Simatic WinCC SCADA software was leaked onto the net some years ago.

Siemens are worried that if critical infrastructure customers change their Siemens WinCC SCADA password (to hinder the malware's attempt to access their system) they will stop Stuxnet being able to steal information, but could at the same time throw their systems into chaos.

This is a horrible situation. Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn't be hard-coded to expect the password to always be the same (which results in any change to the password resulting in a right royal mess).

The Stuxnet attacks have prompted Siemens to publish a security advisory on its website.

Siemens security advisory

In a posting on its support forum, Siemens acknowledges the existence of Stuxnet, but appears to be looking to Microsoft to roll out a patch for the problem as soon as possible, and for anti-virus vendors - of course - to detect the SCADA-aware malware.

In the meantime, you could do a lot worse than listen to this podcast where Sophos experts Chet Wisniewski and Michael Shannon discussion the Windows Shortcut zero-day vulnerability and how to mitigate the risk.

Podcast: Windows Shortcut exploit - What is it, what are the risks?

One can only hope that lessons will be learnt once this ghastly mess is sorted out.

Tags: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.