Thursday, July 22, 2010

Default Passwords and SCADA: Siemens Fails

Finally we're seeing malware in the wild targeting SCADA systems.What is the root cause analysis? Siemens have a default password. Of course, Siemens are not advising their client's to change it for fear of breaking communications between WinCC and the database.

I can appreciate Siemens concern for interrupting business operations but time and time again - fear of interrupting business is not a reason for ignoring security threats. It is a consideration - sure - but not a reason for ignoring.

This is a prime example of security fail.

Why can't Siemens advise changing the password but stress the potential business implications? Other mitigating controls might include:
  • disabling USB drives,
  • application whitelisting,
  • operating system hardening,
  • segregation of management networks,
  • disallowing critical infrastructure direct Internet connectivity.
The list goes on. Why not advise clients how to change the password within the application and database? I'm obviously presuming it is permissible - if not, clearly it is a double fail.

Anyway, I realise SCADA infrastructure often runs on ancient, unsupported operating systems and patch levels, but other controls can be applied to reduce the attack surface and potential damage such malware can perform.

While this is an excuse that is often thrown around in enterprise environments time and time again, what is interesting now is that it is being thrown around in relation to critical infrastructure, (presumably) arising from industrial espionage.

Some relevant links from Siemens can be found here and here (official release) - and yes,Siemens official release is terrible.

- J.

EDIT (23-7-2010): AusCERT have released a bulletin on this. It's a good writeup - I heartily endorse anyone interested in this subject to read it further.

No comments: