We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

After worm, Siemens says don't change passwords

The worm uses a default password that, if changed, could crash industrial systems

Although a newly discovered worm could allow criminals to break into Siemens' industrial automation systems using a default password, Siemens is telling customers to leave their passwords alone.

That's because changing the password could disrupt the Siemens system, potentially throwing large-scale industrial systems that it manages into disarray. "We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens Industry spokesman Michael Krampe in an e-mail message Monday.

The company plans to launch a website late Monday that will provide more details on the first-ever malicious code to target the company's SCADA (supervisory control and data acquisition) products, he said. The Siemens WinCC systems targeted by the worm are used to manage industrial machines in operation worldwide to build products, mix food, run power plants and manufacture chemicals.

Siemens is scrambling to respond to the problem as the Stuxnet worm -- first reported late last week -- starts to spread around the world. Symantec is now logging about 9,000 attempted infections per day, according to Gerry Egan, a director with Symantec Security Response.

The worm spreads via USB sticks, CDs or networked file-sharing computers, taking advantage of a new and currently unpatched flaw in Microsoft's Windows operating system. But unless it finds the Siemens WinCC software on the computer, it simply copies itself wherever it can and goes silent.

Because SCADA systems are part of the critical infrastructure, security experts have worried that they may someday be subject to a devastating attack, but in this case the point of the worm appears to be information theft.

If Stuxnet does discover a Siemens SCADA system, it immediately uses the default password to start looking for project files, which it then tries to copy to an external website, Egan said.

"Whoever wrote the code really knew Siemens products," said Eric Byres, chief technology officer with SCADA security consulting firm Byres Security. "This is not an amateur."

By stealing a plant's SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company's products, he said.

Byres' company has been flooded with calls from worried Siemens customers trying to figure out how to stay ahead of the worm.

US-CERT has put out an advisory (ICS-ALERT-10-196-01) for the worm, but the information is not publicly available. According to Byres, however, changing the WinCC password would prevent critical components of the system from interacting with the WinCC system that manages them. "My guess is you would basically disable your whole system if you disable the whole password."

That leaves Siemens customers in a tough spot.

They can, however, make changes so that their computers will no longer display the .lnk files used by the worm to spread from system to system. And they can also disable the Windows WebClient service that allows the worm to spread on a local area network. Late Friday, Microsoft released a security advisory explaining how to do this.

"Siemens has started to develop a solution, which can identify and systematically remove the malware," Siemens' Krampe said. He didn't say when the software would be available.

The Siemens system was designed "assuming that nobody would ever get into those passwords," Byres said. "It's an assumption that nobody will ever try very hard against you."

The default username and passwords used by the worm's writers have been publicly known since they were posted to the Web in 2008, Byres said.


IDG UK Sites

Black Friday and Cyber Monday 2014 tech deals UK Live: Best Black Friday deals from Apple, Amazon,...

IDG UK Sites

Why are people still buying satnavs? Smartphones are the modern satnav

IDG UK Sites

New Star Wars trailer: Watch the VFX-laden teaser for The Force Awakens

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & Black Friday tech offers UPDATED