There’s Passwording and there’s Security

Kim Zetter’s article for Wired tells us that “SCADA System’s Hard-Coded Password Circulated Online for Years” – see the article at http://www.wired.com/threatlevel/2010/07/siemens-scada/#ixzz0uFbTTpM0 for a classic description of how a password can have little or no value as a security measure.

Zetter quotes Lenny Zeltser of SANS as saying that ““…anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.” We now detect it as LNK/Exploit.CVE-2010-2568, but our lab will be delighted to improve the detection if SANS has a sample we don’t detect. ;-)

Costin Raiu, however, has an interesting take on the code signing issue that Pierre-Marc flagged here yesterday, suggesting that JMicron and Realtek might both have been infected by a malware such as Zbot (Zeus) that steals digital certificates.

I had an interesting chat this morning with Jeremy Kirk of IDG, but that’s an angle that hadn’t occurred to me. Jeremy’s article “Eset Discovers Second Variation of Stuxnet Worm” is here.

Dan Raywood of SC Magazine also looked at the issue here and quoted my earlier blog, And Jim Finkle of Reuters quoted Siemans, Microsoft, and our own Randy Abrams here. Randy was also quoted by Richard Adhikari in a TechWorld article here.

Hat tip also to Bob McMillan for pointing me to the US-CERT advisory at http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software.pdf

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Author David Harley, ESET

2 Responses to “There’s Passwording and there’s Security”

  1. Jake Brodsky, PE says:

    I am an industrial controls engineer. I am a customer of companies like Siemens, though we don’t use much of their gear and we do not use WinCC. Allow me to point out some realities that are probably outside your experience.

    There are two issues here: one strategic and one tactical. Strategically Siemens made a huge error by embedding the same access account and password in this product for year after year –and then expecting it to stay secret. No-one disputes that this was a very foolish decision.

    However, tactically, it is impractical to take down a WinCC system on a whim. THIS IS A WHIM! The process systems can be isolated from other networks. Large processes are often very difficult to shut-down and made safe enough for a control system patch to be tested and deployed properly. There are applications where that option doesn’t exist for several months at a time.

    The solution instead is to isolate the system. It used to work that way before. It can work that way again.

    The office doesn’t NEED real time data from the control system. It wasn’t so long ago that we used to use pencils and clip boards to move data back and forth. There isn’t that much information that has to move here.

    So we can keep the network isolated and we can do the Microsoft work-around that uglifies short-cut Icons. This is what Siemens is recommending. It is a reasonable tactical move. Throwing new software (without the backdoor and all the stuff that was tied to it) at this problem is likely to cause even more trouble than it saves.

    The original installations were carefully tested and validated with physical product and ridiculous numbers of employee hours. Any new software will be subjected to similar regiments. It is expensive, it can be dangerous, and the logistics are not trivial. Nobody shuts down a large steam boiler casually just for a software update.

    As a Control Systems Vendor, Siemens knows this. I’m thunderstruck with Siemens’ thinking that long term backdoor user and password combinations could remain secret. But the problem is in the field right now, and it needs to be dealt with right now on systems that may not be safely taken down and revalidated for months.

    You can argue that it shouldn’t be that way, but that’s what is. This is not an office. The information is not front and center here. This is about an industrial process that often run 24/7/365. That’s the reality. Siemens is making the best of a very poor decision.

    Over the longer term, yes, we do need to build better industrial control software. And one of the first things we need to do is to wean ourselves off of cheap, relatively unreliable office software. Organizations such as NASA have managed to do this with spacecraft. It is time we took a second look at what they do and think about how we could apply their techniques more inexpensively.

  2. Charles Jeter says:

    @ Jake: Word…. Isolation is the key. I've seen far too many vendors of wireless data monitoring devices implement poor security – and web accessibility is not a selling factor in my opinion.

Leave a Reply

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
20 Jul 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.