The Cybersecurity and Infrastructure Security Agency (CISA) is pushing equipment and software manufacturers to eliminate the use of default passwords in their products.
In a recent alert – titled Secure by Design Alert: How Manufacturers Can Protect Customers by Eliminating Default Passwords – CISA is advising manufacturers to take more decisive steps to defend customers by implementing two key principles: taking ownership of customer security outcomes, and creating “organizational structure and leadership to achieve these goals.”
“By implementing these two principles in their design, development, and delivery processes, software manufactures will prevent exploitation of static default passwords in their customers’ systems,” stated the agency.
The report comes amid reports that Islamic Revolutionary Guard Corps (IRGC)-affiliated actors have targeted critical infrastructure across the U.S. via equipment that includes default passwords that create vulnerability to hacking.
“Studies by CISA show that the use of default credentials, such as passwords, is a top weakness that threat actors exploit to gain access to systems, including those within U.S. critical infrastructure,” stated CISA.
“Recent intrusions targeting programmable logic controllers (PLCs) hardcoded with a four-digit password demonstrate the significant potential for real-world harm caused by manufacturers distributing products with static default passwords,” the agency said.
“In these attacks, the default password was widely known and publicized on open forums where threat actors are known to mine intelligence for use in breaching U.S. systems,” added CISA.
The report makes it clear that manufacturers must move to other forms of password protection technology, such as phishing-resistant multifactor authentication (MFA), instance-unique setup passwords with products, and requiring physical access for initial setup.
“Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations,” CISA said.