AppSec Blog

Hard-Coded Password in Critical SCADA Software

Wired reports that a new piece of malware is using a hard-coded password in Siemens' Simantic WinCC SCADA system to access the underlying MS SQL Server database which contains information used to manage critical utilities and manufacturing facilities.

The article quotes Joe Weiss as saying "Well over 50 percent of the control system suppliers" have this problem and that "These systems were designed so they could be used efficiently and safely. Security was simply not one of the design issues."

It's unfortunate that this hard-coded password has been known about since 2008 especially considering that the malware appears to be targeting critical infrastructure. Is the bad press enough to get Siemens to do more about software security? What do you think will get software makers like Siemens to implement appropriate software security controls and create secure SDLC initiatives that result in more secure software?


Posted July 23, 2010 at 2:32 AM | Permalink | Reply


These systems were designed so they could be used efficiently and safely."
Safely has been redefined for the POBs. Security is part of safety, without security, nothing can be deployed safely.

Post a Comment - Cancel Reply


* Indicates a required field.