The US Cybersecurity and Infrastructure Security Agency (CISA) is urging technology manufacturers to eliminate default passwords from their products, as they pose a significant security risk. This call comes in the wake of several critical incidents where hardcoded defaults were exploited by threat actors, resulting in severe infrastructure damage. Highlighting this issue, the recent sabotage of water facilities in the US by Iranian threat actors was facilitated by the use of widely known and easily accessible default passwords in programmable logic controllers (PLCs).
- CISA has proposed a two-part strategy to mitigate these threats. Firstly, tech manufacturers should take accountability for customers’ security by offering instance-unique or time-limited setup passwords and mandating multi-factor authentication (MFA) following completion of the setup process.
- Secondly, manufacturers should enhance organizational structure and leadership to embed secure-by-design principles into their product development process, ensure their teams understand the implications of product configurations on security, promote customer feedback, incentivize security measures, and allocate adequate resources to improve cyber risk management.
The agency emphasized that expecting customers to change defaults was a proven inadequate measure, urging manufacturers to take concerted action to lessen the risks faced by critical infrastructure organizations. The need for stringent cybersecurity measures, as stressed by CISA, clearly emerges as critical infrastructure around the world increasingly becomes a target of cyber attacks.
This call to action is in line with the broader global push for improved security measures amid growing cyber threats. The elimination of default passwords not only reduces the risk of unauthorized access, but also makes it more difficult for attackers to exploit other vulnerabilities within the system. Efforts in this direction could prove instrumental in protecting critical infrastructures and mitigating potential cyber threats.