[Dan Cooper]

Clulely told that Guardian that Siemens has “astonishingly” advised power plants and manufacturing facilities not to change the default password that allows access to functions, despite it being exploited by Stuxnet and being “public knowledge on the web for years”.

I can’t imagine why they’d do that unless Siemens itself is part of this or is under heavy pressure from the German government to cooperate.

The password in question is the database access password use by the SCADA software. It cannot be changed without a software update apparently. Just bad design, not nefarious pressure. From Siemens' website:

The user login and the password for WinCC are freely definable and have nothing to do with access to the internal database. The internal system authentication from WinCC to the Microsoft SQL database is based on pre-defined access data. This data is not visible for the customer and is used as an internal system mechanism for communication between the WinCC system components and the database. Changing the access data would impede communication between WinCC and the database and is therefore not recommended. Tightening up authentication procedures is being examined.

The other thing about this article that I think is wrong is that the certificate stolen from Realtek would have been used to sign software executables to hide them from Windows and from scanning software by making it look like a legitimate driver or application from Realtek.

[Washi]

The password in question is the database access password use by the SCADA software. It cannot be changed without a software update apparently. Just bad design, not nefarious pressure.

I suspected as much when I first read the article. Thanks for the confirmation.