Siemens warns Stuxnet targets of Scada password risk

Siemens warns Stuxnet targets of Scada password risk

Summary: Customers should not change the default passwords in WinCC Scada software, even though the Stuxnet malware is using them to infect systems, Siemens has advised

SHARE:
TOPICS: Security
0

Siemens has advised its customers not to change the default passwords hard-coded into its WinCC Scada product, even though the Stuxnet malware that exploits the critical infrastructure systems software is circulating in the wild.

Changing the passwords could affect the operations of critical infrastructure organisations such as utilities companies and electricity suppliers, according to Siemens.

"We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens spokesman Michael Krampe in a statement on Monday.

The Stuxnet piece of malware, which combines the characteristics of a rootkit, a worm and a Trojan, is currently infecting critical infrastructure systems around the world. It has already hit India, Iran, Indonesia and the US, among other countries.

Read this

Know the enemy: today's top 10 security threats

The more you know about the likely avenues of cybercrime attack, the better you can protect yourself against them, says Alan Calder

Read more

The malware, which exploits a zero-day vulnerability in the way Windows handles Microsoft shortcut files, is also programmed to take advantage of a hard-coded default password in Siemens WinCC Scada software. Scada — supervisory control and data acquisition — systems are used by critical infrastructure organisations to control their computing operations.

IT security professionals at affected critical infrastructure firms are caught between two undesirable outcomes: they can either accept the chance of infection or risk disrupting their systems by changing the passwords, according to security company Sophos.

"This is a horrible situation," said Sophos senior technology consultant Graham Cluley in a blog post on Tuesday. "Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn't be hard-coded to expect the password to always be the same (which results in any change to the password resulting in a right royal mess)."

Siemens declined to comment further on Tuesday, but it did say in a security advisory posted on its support forum on Tuesday that it is working with Microsoft to resolve the issue at the Windows operating system level. In addition, ZDNet UK understands that Siemens is rethinking the use of hard-coded default passwords in its systems.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion