CISA’s message: Manufacturers, wave goodbye to default passwords.

The US Cybersecurity and Infrastructure Security Agency (CISA) has called for more stringent password practices in the tech manufacturing industry in an effort to mitigate cyber threats. The agency has highlighted the considerable risks posed by default passwords, a commonly exploited vulnerability amongst operational technology devices. Specifically:

• CISA has spotlighted recent cyber incidents involving Iranian threat actors associated with the Islamic Revolutionary Guard Corps. They illicitly accessed U.S. infrastructure systems by using default passwords.
• Default passwords are often identical across a manufacturer’s product line and publicly documented. This makes them easy targets for threat actors. By using online tools, cybercriminals can locate and infiltrate internet-exposed endpoints via default passwords, often obtaining admin privileges.

To combat these threats, CISA is urging manufacturers to implement design principles that prioritize security. Practical measures include unique setup passwords and default password deactivation after a set period. They also encourage enabling phishing-resistant multi-factor authentication. Manufacturers are advised to understand their products’ deployment in real-world contexts through field testing, to identify potential risks and align developer expectations with customer usage.

CISA has recently released a separate advisory in collaboration with multiple security agencies, including FBI, NSA, and the UK’s National Cyber Security Centre (NCSC). They alerted on large-scale exploitation of CVE-2023-42793 by the Russian Foreign Intelligence Service (SVR). This follows a UK warning earlier this month that Russia’s Security Service, the FSB, has been conducting cyber campaigns targeting politicians and public figures. The number of cyberattacks is expected to increase, especially ahead of Western elections next year.

Improving open-source software management processes is another focus for CISA, NSA, and Office of the Director of National Intelligence (ODNI). They advise consistent and secure-by-design management practices for organizations using open source software to reduce vulnerability to known exploits.