Yes, there's malware. But don't change your SCADA password, advises Siemens

Filed Under: Data loss, Malware, Podcast, Vulnerability

Power plant with password prompt
If you were in charge of some critical infrastructure (such as a power plant or manufacturing facility) and there was some malware which exploited a zero-day vulnerability in Windows which targeted your systems you might be pretty concerned, right?

In fact, if the malware (which we'll call Stuxnet) was programmed to know the default password used by the SCADA (Supervisory Control And Data Acquisition) systems which manage your critical operations you might want to seriously consider changing those default passwords, right? As a sensible precaution, yes?

Well, unfortunately, life is not that simple.

Although Siemens SCADA systems are being targeted by the Stuxnet malware (which, you will remember, exploits a zero-day Microsoft vulnerability in the way that Windows handles .LNK shortcuts, allowing malicious code to run when icons are displayed), the company is telling customers that they should not change their default passwords.

"We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," Siemens spokesman Michael Krampe told journalists.

That's in spite of the fact that the password used by Siemens Simatic WinCC SCADA software was leaked onto the net some years ago.

Siemens are worried that if critical infrastructure customers change their Siemens WinCC SCADA password (to hinder the malware's attempt to access their system) they will stop Stuxnet being able to steal information, but could at the same time throw their systems into chaos.

This is a horrible situation. Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn't be hard-coded to expect the password to always be the same (which results in any change to the password resulting in a right royal mess).

The Stuxnet attacks have prompted Siemens to publish a security advisory on its website.

Siemens security advisory

In a posting on its support forum, Siemens acknowledges the existence of Stuxnet, but appears to be looking to Microsoft to roll out a patch for the problem as soon as possible, and for anti-virus vendors - of course - to detect the SCADA-aware malware.

In the meantime, you could do a lot worse than listen to this podcast where Sophos experts Chet Wisniewski and Michael Shannon discussion the Windows Shortcut zero-day vulnerability and how to mitigate the risk.

Podcast: Windows Shortcut exploit - What is it, what are the risks?

One can only hope that lessons will be learnt once this ghastly mess is sorted out.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley