Siemens warns Stuxnet targets of Scada password risk

Customers should not change the default passwords in WinCC Scada software, even though the Stuxnet malware is using them to infect systems, Siemens has advised
Written by Tom Espiner, Contributor

Siemens has advised its customers not to change the default passwords hard-coded into its WinCC Scada product, even though the Stuxnet malware that exploits the critical infrastructure systems software is circulating in the wild.

Changing the passwords could affect the operations of critical infrastructure organisations such as utilities companies and electricity suppliers, according to Siemens.

"We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens spokesman Michael Krampe in a statement on Monday.

The Stuxnet piece of malware, which combines the characteristics of a rootkit, a worm and a Trojan, is currently infecting critical infrastructure systems around the world. It has already hit India, Iran, Indonesia and the US, among other countries.

The malware, which exploits a zero-day vulnerability in the way Windows handles Microsoft shortcut files, is also programmed to take advantage of a hard-coded default password in Siemens WinCC Scada software. Scada — supervisory control and data acquisition — systems are used by critical infrastructure organisations to control their computing operations.

IT security professionals at affected critical infrastructure firms are caught between two undesirable outcomes: they can either accept the chance of infection or risk disrupting their systems by changing the passwords, according to security company Sophos.

"This is a horrible situation," said Sophos senior technology consultant Graham Cluley in a blog post on Tuesday. "Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn't be hard-coded to expect the password to always be the same (which results in any change to the password resulting in a right royal mess)."

Siemens declined to comment further on Tuesday, but it did say in a security advisory posted on its support forum on Tuesday that it is working with Microsoft to resolve the issue at the Windows operating system level. In addition, ZDNet UK understands that Siemens is rethinking the use of hard-coded default passwords in its systems.

Editorial standards