Siemens warns users: Don't change passwords after worm attack

The worm uses a default password that, if changed, could crash Siemens' large-scale industrial automation systems

Although a newly discovered worm could allow criminals to break into Siemens' industrial automation systems using a default password, Siemens is telling customers to leave their passwords alone.

That's because changing the password could disrupt the Siemens system, potentially throwing large-scale industrial systems that it manages into disarray. "We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens Industry spokesman Michael Krampe in an email message Monday.

[ InfoWorld's Woody Leonhard explains the workings of the new rootkit exploit. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The company plans to launch a website late Monday that will provide more details on the first-ever malicious code to target the company's SCADA (supervisory control and data acquisition) products, he said. The Siemens WinCC systems targeted by the worm are used to manage industrial machines in operation worldwide to build products, mix food, run power plants and manufacture chemicals.

Siemens is scrambling to respond to the problem as the Stuxnet worm -- first reported late last week -- starts to spread around the world. Symantec is now logging about 9,000 attempted infections per day, according to Gerry Egan, a director with Symantec Security Response.

The worm spreads via USB sticks, CDs, or networked file-sharing computers, taking advantage of a new and currently unpatched flaw in Microsoft's Windows operating system. But unless it finds the Siemens WinCC software on the computer, it simply copies itself wherever it can and goes silent.

Because SCADA systems are part of the critical infrastructure, security experts have worried that they may someday be subject to a devastating attack, but in this case the point of the worm appears to be information theft.

If Stuxnet does discover a Siemens SCADA system, it immediately uses the default password to start looking for project files, which it then tries to copy to an external website, Egan said.

"Whoever wrote the code really knew Siemens products," said Eric Byres, chief technology officer with SCADA security consulting firm Byres Security. "This is not an amateur."

By stealing a plant's SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company's products, he said.

Byres' company has been flooded with calls from worried Siemens customers trying to figure out how to stay ahead of the worm.

US-CERT has put out an advisory (ICS-ALERT-10-196-01) for the worm, but the information is not publicly available. According to Byres, however, changing the WinCC password would prevent critical components of the system from interacting with the WinCC system that manages them. "My guess is you would basically disable your whole system if you disable the whole password."

That leaves Siemens customers in a tough spot.

They can, however, make changes so that their computers will no longer display the .lnk files used by the worm to spread from system to system. And they can also disable the Windows WebClient service that allows the worm to spread on a local area network. Late Friday, Microsoft released a security advisory explaining how to do this.

"Siemens has started to develop a solution, which can identify and systematically remove the malware," Siemens' Krampe said. He didn't say when the software would be available.

The Siemens system was designed "assuming that nobody would ever get into those passwords," Byres said. "It's an assumption that nobody will ever try very hard against you."

The default username and passwords used by the worm's writers have been publicly known since they were posted to the Web in 2008, Byres said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's email address is robert_mcmillan@idg.com.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies