Stuxnet, SCADA and Third Party Vendors

Another zero-day attack, no big deal. Its nothing we haven’t seen. Except maybe for the vendor’s response.

Seimens uses a default password on their SCADA gear. This worm attacks it. Seimens had this to say about it (from PC World):

Siemens is advising that its customers not change the password because that can disrupt the system. Siemens plans to launch a Web site addressing the issue and how to remove the malware.

So…a third party vendor wants vulnerable customers to keep using the same weak and well-known password. How are companies with control systems supposed to work with this kind of response?

It’s no secret the password is 2WSXcder. You can find it on the Internet. This site, for example.

Vendors need to step up and take security more seriously. Period. Utilities can’t just decide they don’t like vendor X and go with vendor Y. SCADA gear is too costly (ever try replacing a power plant’s generator? The plant is built *around* the generator) and rate-payers rightly won’t stand for it.

Security is EVERYONE’S responsibility. From the customers, to the companies producing a product, to the vendors supplying those companies, to the government overseeing it all.

EDIT:

Symantec provides a little useful information surrounded in a bubble of speculation here.

Siemens responds with a fair attempt at a FAQ on the problem, some luke warm security advice, a 50MB “sysclean” tool that will be useless in a week, and with little in the way of hard fixes (as of this writing, Siemens customers still can’t change the dang default password) here.