Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Secure-by-Design
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

New CISA alert urges manufacturers to eliminate default passwords, strengthen cybersecurity principles

December 18, 2023
New CISA alert urges manufacturers to eliminate default passwords, strengthen cybersecurity principles

As part of its new Secure by Design (SbD) Alert series, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published guidance on How Manufacturers Can Protect Customers by Eliminating Default Passwords. The SbD Alert urges technology manufacturers to proactively eliminate the risk of default password exploitation by implementing principles one and three of the joint guidance, ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software’ that includes taking ownership of customer security outcomes, and building organizational structure and leadership to achieve these goals. 

By implementing these two principles in their design, development, and delivery processes, software manufacturers will prevent the exploitation of static default passwords in their customers’ systems. CISA urges technology manufacturers to read and implement the guidance in this second SbD Alert in its new series that focuses on how vendor decisions can reduce harm on a global scale. The move also enables manufacturers to protect customers by eliminating default passwords. 

Malicious hackers continue to exploit default passwords, such as 1234, default, and password on internet-exposed systems to gain initial access to and move laterally within organizations. Hackers, including Islamic Revolutionary Guard Corps (IRGC)-affiliated hackers, have been successful in compromising critical infrastructure systems in the U.S. by exploiting operational technology (OT) products sold by manufacturers with passwords set to a static default. 

“CISA is releasing this Alert—based upon recent and ongoing threat activity—to urge every technology manufacturer to eliminate default passwords in the design, release, and update of all products,” the guidance disclosed. “Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations.”

A core tenet of secure by design is that manufacturers create safe and secure default behavior in products provided to customers. The use of widely known default passwords is unacceptable given the current threat environment. 

Studies by CISA show that the use of default credentials, such as passwords, is a top weakness that threat actors exploit to gain access to systems, including those within U.S. critical infrastructure.

Recent intrusions targeting programmable logic controllers (PLCs) hardcoded with a four-digit password demonstrate the significant potential for real-world harm caused by manufacturers distributing products with static default passwords. In these attacks, the default password was widely known and publicized on open forums where threat actors are known to mine intelligence for use in breaching U.S. systems. 

The advisory disclosed that IRGC-affiliated hackers used the default password to access systems that provide critical services to communities across the country. CISA encourages manufacturers to learn from these compromises by reviewing Principles 1 and 3 of the joint guidance, ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.’ 

Principle 1 focuses on key security areas manufacturers should invest in to protect public safety and health. These areas include setting default configurations so that products are secure against reasonably foreseeable threats, such as threat actors looking up a default password on the public internet and testing it against internet-exposed devices. 

For example, instead of including a single default password in every version of a product, manufacturers could instead provide instance-unique setup passwords with the product, provide time-limited setup passwords that disable themselves when a setup process is complete and require activation of more secure authentication approaches, such as phishing-resistant MFA or require physical access for initial setup and the specification of instance-unique credentials.

The principal’s goal is to create enduring security for the long-term administration of products starting with the installation process. Manufacturers should not assume that users know they must disable insecure default configurations. Instead, manufacturers should follow the above alternatives or design their setup flow to secure their products and not put the burden of secure configuration on customers. 

Additionally, manufacturers should conduct field tests to understand how their customers deploy products in their unique environments and whether customers are deploying products in unsafe ways. Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product. It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one.

The advisory also urged manufacturers to ensure that business units that own the design, development, and delivery of products and services understand that cybersecurity issues are, at their core, product and public safety issues and should be treated as such. Manufacturers should ensure that design and development teams engineer products with security and safety built-in by default. Design, development, and delivery teams should prioritize understanding research on how real customers use product configurations and how those configuration choices, in turn, create or mitigate cybersecurity risks. 

It added that executive leadership can ensure that feedback on how customers use products meaningfully informs product changes to create safe defaults that reduce risk. Executive leadership should also build the incentive structures within the business—especially at the inception of product design and development—and allocate appropriate resources to their design, development, and delivery teams to enable these outcomes. 

CISA underlined that ‘although this Secure by Design Alert focuses on avoiding the use of default passwords, it is just one part of a more comprehensive set of secure by design practices.’

It added that to protect their customers from a wide range of malicious cyber activity, manufacturers should adopt the principles outlined in Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. Further, CISA urges manufacturers to publish their secure-by-design roadmap to demonstrate that they are not simply implementing tactical controls but are strategically rethinking their responsibility to keep customers safe. 

Last month, CISA published its initial publication in the SbD Alert series, which focuses on malicious cyber activity against web management interfaces. It highlights how customers would be better shielded from malicious cyber activity targeting these systems if manufacturers implemented security best practices, eliminated repeat classes of vulnerabilities in their products, and aligned their work to SbD principles.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation