While the rest of the world wondered what was happening with the Stuxnet worm, the Indian government's cyber defence team had already neutralised it.
According to the Department of Information Technology's Computer Emergency Response Team (CERT-In) it averted a disaster in India's energy sector by detecting the threat as early as July and advising state-run firms on a workaround to prevent attacks on computer systems controlling their operations.
Apparently on July 24, CERT-In director general Gulshan Rai wrote to oil ministry director P K Singh and the power ministry saying it had detected malware that was exploiting a recently-disclosed zero-day vulnerability in Microsoft Windows Shell.
Singh warned that Stuxnet was targeting certain components of SCADA systems. The trojan, or a computer mole, installed by the malware detects SIMATIC WinCC and PCS 7 software programmes from Siemens, devised for SCADA systems, and makes queries to any discovered databases by using default passwords.
He claimed that the Stuxnet trojan took over the password used by various components in a computer system for talking to each other.
Singh warned that the malware spread through USB drives and it could also attack via network shares and a set of extensions that allow users to edit and manage files on remote web servers called web-based distributed authoring and versioning.
CERT-In also advised the ministries on workarounds and other counter-measures.
While the Indians are clearly patting themselves on the back in this announcement it begs the question as to why the rest of the world was not told.
.jpg){kind=icon}
Siemens, unfortunately, is built upon Microsoft technology, including 'personal' versions of SQL server, in all their different names, since about 2005, or perhaps earlier. My mind's a little fuzzy. Siemens has until recently taken a rather lax attitude towards security; they are getting better, but still have some ways to go.
This particular problem arose because Siemens chose to continue using default passwords on internal databases for WinCC. Those databases contain configuration and access information for whatever industrial controls WinCC interfaces with, making it rather easy work to figure out how to cripple said controls. And the internal structure and content of WinCC databases are child's play for any decent controls engineer to unravel. I did it in less than a day with no previous experience with WinCC.
Most obvious solution is to generate instance-specific passwords, but Siemens is peopled with stubborn Germanic types, who will NEVER admit they didn't do something perfectly right the first time. Some sort of genetic problem, I guess.