Yes, there’s malware. But don’t change your SCADA password, advises Siemens

Yes, there's malware. But don't change your SCADA password, advises Siemens

Power plant with password prompt
If you were in charge of some critical infrastructure (such as a power plant or manufacturing facility) and there was some malware which exploited a zero-day vulnerability in Windows which targeted your systems you might be pretty concerned, right?

In fact, if the malware (which we’ll call Stuxnet) was programmed to know the default password used by the SCADA (Supervisory Control And Data Acquisition) systems which manage your critical operations you might want to seriously consider changing those default passwords, right? As a sensible precaution, yes?

Well, unfortunately, life is not that simple.

Although Siemens SCADA systems are being targeted by the Stuxnet malware (which, you will remember, exploits a zero-day Microsoft vulnerability in the way that Windows handles .LNK shortcuts, allowing malicious code to run when icons are displayed), the company is telling customers that they should not change their default passwords.

“We will be publishing customer guidance shortly, but it won’t include advice to change default settings as that could impact plant operations,” Siemens spokesman Michael Krampe told journalists.

That’s in spite of the fact that the password used by Siemens Simatic WinCC SCADA software was leaked onto the net some years ago.

Siemens are worried that if critical infrastructure customers change their Siemens WinCC SCADA password (to hinder the malware’s attempt to access their system) they will stop Stuxnet being able to steal information, but could at the same time throw their systems into chaos.

This is a horrible situation. Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn’t be hard-coded to expect the password to always be the same (which results in any change to the password resulting in a right royal mess).

The Stuxnet attacks have prompted Siemens to publish a security advisory on its website.

Siemens security advisory

In a posting on its support forum, Siemens acknowledges the existence of Stuxnet, but appears to be looking to Microsoft to roll out a patch for the problem as soon as possible, and for anti-virus vendors – of course – to detect the SCADA-aware malware.

In the meantime, you could do a lot worse than listen to this podcast where Sophos experts Chet Wisniewski and Michael Shannon discussion the Windows Shortcut zero-day vulnerability and how to mitigate the risk.

Podcast: Windows Shortcut exploit – What is it, what are the risks?

One can only hope that lessons will be learnt once this ghastly mess is sorted out.