December 18, 2023 at 11:09AM
The cybersecurity agency CISA advises manufacturers to cease using default passwords for industrial control systems (ICS) in the water sector due to recent attacks. It recommends implementing safe default behavior, eliminating widely known default passwords, and conducting field tests to ensure secure product usage. Executives are urged to drive security improvement and offer incentives for secure product creation.
From the meeting notes, it is clear that the cybersecurity agency CISA is strongly urging device manufacturers to stop relying on customers to change default passwords, especially in the wake of recent attacks targeting industrial control systems (ICS) in the water sector. CISA recommends that manufacturers take ownership of customer security outcomes and build organizational structure and leadership to achieve these security goals. They emphasize the importance of creating safe and secure default behavior in products provided to customers, stating that the use of widely known default passwords is unacceptable given the current threat environment.
Furthermore, CISA advises manufacturers to provide passwords that only work during the setup process or for a limited amount of time, requiring physical access for the initial setup. They also stress the importance of conducting field tests to understand how customers deploy products in their unique environments and whether they are doing so in safe ways.
Manufacturers are encouraged to ensure that design and development teams create products with security and safety built in by default and to check whether the way customers use the product introduces any security risks. Additionally, executives must play a role in improving the security of products based on customer usage and providing incentives for creating secure products from the start of design and development.
The urgency of these recommendations is highlighted by recent cyberattacks targeting water utilities in the US, where threat actors were able to exploit weak default passwords to hijack industrial control systems. In one instance, CISA assigned a CVE identifier and a CVSS score to a product vulnerability related to the use of default administrative passwords.
Overall, the meeting notes underscore the gravity of the situation and emphasize the need for swift action and collaboration among manufacturers, developers, and executives to address the vulnerabilities associated with default passwords and enhance the security of industrial control systems.