The US Cybersecurity and Infrastructure Security Agency (CISA) has published a two-point plan urging technology manufacturers to get rid of default passwords in their products.
The agency claimed in its latest Secure by Design Alert, How Manufacturers Can Protect Customers by Eliminating Default Passwords, that default static credentials like passwords represent a serious security weakness, especially in critical infrastructure.
It cited a recent incident in which programmable logic controllers (PLCs) were compromised by Iranian threat actors to sabotage several water facilities in the US.
“Recent intrusions targeting programmable logic controllers (PLCs) hardcoded with a four-digit password demonstrate the significant potential for real-world harm caused by manufacturers distributing products with static default passwords,” CISA argued.
“In these attacks, the default password was widely known and publicized on open forums where threat actors are known to mine intelligence for use in breaching US systems. IRGC-affiliated actors easily used the default password to access systems that provide critical services to communities across the country.”
Read more on default passwords: NCSC Urges UK Water Companies to Secure Control Systems
To reduce the risk of exploitation, tech manufacturers were urged to adopt a two-point plan:
- Take ownership of customer security outcomes by providing “instance-unique” setup passwords, or requiring physical access for initial setup. They could also offer “time-limited” setup passwords that disable once the process is complete and then require multi-factor authentication (MFA)
- Build organizational structure and leadership to achieve these goals, by ensuring design and development teams engineer products according to secure-by-design principles, and understand how customers use product configurations and how these choices may create or mitigate security risks. Executives should ensure customer feedback informs this process, build incentives into the business and allocate sufficient resources to make this happen
“Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations,” said CISA.