Although a newly discovered worm could allow criminals to break into Siemens' industrial automation systems using a default password, Siemens is telling customers to leave their passwords alone. Although a newly discovered worm could allow criminals to break into Siemens’ industrial automation systems using a default password, Siemens is telling customers to leave their passwords alone. That’s because changing the password could disrupt the Siemens system, potentially throwing large-scale industrial systems that it manages into disarray. “We will be publishing customer guidance shortly, but it won’t include advice to change default settings as that could impact plant operations,” said Siemens Industry spokesman Michael Krampe in an e-mail message Monday.The company plans to launch a website late Monday that will provide more details on the first-ever malicious code to target the company’s SCADA (supervisory control and data acquisition) products, he said. The Siemens WinCC systems targeted by the worm are used to manage industrial machines in operation worldwide to build products, mix food, run power plants and manufacture chemicals. Siemens is scrambling to respond to the problem as the Stuxnet worm — first reported late last week — starts to spread around the world. Symantec is now logging about 9,000 attempted infections per day, according to Gerry Egan, a director with Symantec Security Response. The worm spreads via USB sticks, CDs or networked file-sharing computers, taking advantage of a new and currently unpatched flaw in Microsoft’s Windows operating system. But unless it finds the Siemens WinCC software on the computer, it simply copies itself wherever it can and goes silent.Because SCADA systems are part of the critical infrastructure, security experts have worried that they may someday be subject to a devastating attack, but in this case the point of the worm appears to be information theft. If Stuxnet does discover a Siemens SCADA system, it immediately uses the default password to start looking for project files, which it then tries to copy to an external website, Egan said.“Whoever wrote the code really knew Siemens products,” said Eric Byres, chief technology officer with SCADA security consulting firm Byres Security. “This is not an amateur.”By stealing a plant’s SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company’s products, he said.Byres’ company has been flooded with calls from worried Siemens customers trying to figure out how to stay ahead of the worm. US-CERT has put out an advisory (ICS-ALERT-10-196-01) for the worm, but the information is not publicly available. According to Byres, however, changing the WinCC password would prevent critical components of the system from interacting with the WinCC system that manages them. “My guess is you would basically disable your whole system if you disable the whole password.”That leaves Siemens customers in a tough spot. They can, however, make changes so that their computers will no longer display the .lnk files used by the worm to spread from system to system. And they can also disable the Windows WebClient service that allows the worm to spread on a local area network. Late Friday, Microsoft released a security advisory explaining how to do this.“Siemens has started to develop a solution, which can identify and systematically remove the malware,” Siemens’ Krampe said. He didn’t say when the software would be available.The Siemens system was designed “assuming that nobody would ever get into those passwords,” Byres said. “It’s an assumption that nobody will ever try very hard against you.”The default username and passwords used by the worm’s writers have been publicly known since they were posted to the Web in 2008, Byres said. Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com Related content news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability Vulnerabilities Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe