CISA Urges Manufacturers and Vendors to Eliminate Default Passwords for Cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging manufacturers to eliminate default passwords on internet-exposed systems due to the severe risks they pose. Iranian threat actors have been exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S. Default passwords make systems easy targets for adversaries, who can gain root or administrative privileges. Manufacturers are advised to follow secure by design principles, provide unique setup passwords, disable default passwords after a preset time period, and require multi-factor authentication. The disclosure comes amidst ongoing cyber attacks targeting critical infrastructure, and CISA has released a new advisory outlining security countermeasures for healthcare and critical infrastructure entities. The U.S. National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA have also published recommended practices to improve the safety of open-source software management processes.