Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

CISA Urges Manufacturers to Eliminate Default Passwords After Recent ICS Attacks

CISA is advising device makers to stop relying on customers to change default passwords following attacks targeting water sector ICS.

The cybersecurity agency CISA is urging device manufacturers to stop relying on customers to change default passwords following a series of attacks targeting industrial control systems (ICS) in the water sector.

An alert released by CISA on Friday as part of its Secure by Design series recommends that manufacturers eliminate the risk associated with default passwords by implementing two principles: taking ownership of customer security outcomes, and building organizational structure and leadership to achieve such goals. 

“A core tenet of secure by design is that manufacturers create safe and secure default behavior in products provided to customers,” CISA said. “The use of widely known default passwords is unacceptable given the current threat environment. Studies by CISA show that the use of default credentials, such as passwords, is a top weakness that threat actors exploit to gain access to systems, including those within U.S. critical infrastructure.”

The agency has advised manufacturers — instead of setting a single default password — to provide passwords that only work during the setup process or for a limited amount of time, and to require physical access for the initial setup.

“Additionally, manufacturers should conduct field tests to understand (1) how their customers deploy products in their unique environments and (2) whether customers are deploying products in unsafe ways,” CISA said. “Analysis of these field tests will help bridge the gap between developer expectations and actual customer usage of the product. It will also help identify ways to build the product so customers will be most likely to securely use it—manufacturers should ensure that the easiest route is the secure one.”

Manufacturers can achieve these goals by ensuring that design and development teams create products with security and safety built in by default, and check whether the way customers use the product introduces any security risks. 

In addition, executives must also play a part in this, by ensuring that the security of products is improved based on how they are used by customers, and by providing incentives for creating secure products from the start of design and development.

The alert came roughly two weeks after hackers linked to the Iranian government hijacked ICS at the Municipal Water Authority of Aliquippa in Pennsylvania and water utilities in multiple other states around the US. 

Advertisement. Scroll to continue reading.

The threat actors targeted internet-exposed Unitronics Vision series programmable logic controllers (PLC) and it seems that they did not need any sophisticated exploits and instead relied on the fact that the devices were protected with a weak default password.

CISA recently assigned the CVE identifier CVE-2023-6448 to the Unitronics product vulnerability — specifically the use of default administrative passwords — and a CVSS score of 9.8. 

Related: Cyberattack on Irish Utility Cuts Off Water Supply for Two Days

Related: CISA Warns of Unitronics PLC Exploitation Following Water Utility Hack

Related: Congressmen Ask DOJ to Investigate Water Utility Hack, Warning It Could Happen Anywhere

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...