The cybersecurity agency CISA is urging device manufacturers to stop relying on customers to change default passwords following a series of attacks targeting industrial control systems (ICS) in the water sector.
An alert released by CISA on Friday as part of its Secure by Design series recommends that manufacturers eliminate the risk associated with default passwords by implementing two principles: taking ownership of customer security outcomes, and building organizational structure and leadership to achieve such goals.
“A core tenet of secure by design is that manufacturers create safe and secure default behavior in products provided to customers,” CISA said. “The use of widely known default passwords is unacceptable given the current threat environment. Studies by CISA show that the use of default credentials, such as passwords, is a top weakness that threat actors exploit to gain access to systems, including those within U.S. critical infrastructure.”
The agency has advised manufacturers — instead of setting a single default password — to provide passwords that only work during the setup process or for a limited amount of time, and to require physical access for the initial setup.
“Additionally, manufacturers should conduct field tests to understand (1) how their customers deploy products in their unique environments and (2) whether customers are deploying products in unsafe ways,” CISA said. “Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product. It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one.”
Manufacturers can achieve these goals by ensuring that design and development teams create products with security and safety built in by default, and check whether the way customers use the product introduces any security risks.
In addition, executives must also play a part in this, by ensuring that the security of products is improved based on how they are used by customers, and by providing incentives for creating secure products from the start of design and development.
The alert came roughly two weeks after hackers linked to the Iranian government hijacked ICS at the Municipal Water Authority of Aliquippa in Pennsylvania and water utilities in multiple other states around the US.
The threat actors targeted internet-exposed Unitronics Vision series programmable logic controllers (PLC) and it seems that they did not need any sophisticated exploits and instead relied on the fact that the devices were protected with a weak default password.
CISA recently assigned the CVE identifier CVE-2023-6448 to the Unitronics product vulnerability — specifically the use of default administrative passwords — and a CVSS score of 9.8.