Siemens’ password advice for Stuxnet victims

I was reading about Stuxnet and came across an article about Siemens’ advice to customers against changing the default passwords on their SCADA software.

Siemens advised its customers in July 2010 not to change the default passwords hard-coded into its WinCC Scada product. As of July 23, 2010, Siemens is asking customers to get the “sysclean” tool from TrendMicro to remove the worm from infected computers.

Stuxnet is a computer worm that targets Windows based Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes like Siemens’ WinCC/PCS 7 SCADA product. It includes the capability to reprogram the programmable logic controllers (PLCs) and that is what makes it dangerous. It uses the default passwords on these systems to gain control of the software.

But a couple of things flashed at me when I read the new report.

  • Siemens is advising their customers that they should not change the default passwords in response to the Stuxnet worm.
    Why are they using default passwords in the first place? And that too in critical infrastructure systems software that can affect millions of people in an instant. They should have been changing passwords on install and thereafter at regular intervals.
  • It also appears that the default passwords are hard-coded into the software.
    I am not familiar with these systems, but hard-coding of passwords has been a wrong thing to do from when I can remember. Since they are recommending that the passwords should not be changed, I am guessing that there is some way of changing them. What were they thinking when they built the software? Why would all these customers across the world allow the use of default passwords?

They probably thought that other technologies (such as firewalls) would prevent attacks from reaching these systems in the first place. But in my experience, new attacks and ways of circumventing existing protections are coming out all the time. One system depending on other systems to provide protection does not usually work. Fundamentally, each individual system has to be strong and robust (follow secure coding and processes like do not hard-code passwords and change passwords regularly, use strong passwords, etc).

Maybe now, clients will start to insist on better practices from these application vendors.