As part of CISA’s new Security by Design (SbD) Alert series, the agency published guidance on how manufacturers can protect customers by eliminating default passwords. The development comes after CISA sent out an alert earlier this month, stating Iranian actors affiliated with the Islamic Revolutionary Guard Corps have been actively exploiting operational technology devices with default passwords to gain access to critical infrastructure systems in the U.S.

CISA urges manufacturers to get rid of these default passwords on internet-exposed systems to prevent actors from using the credentials to gain initial access to and move laterally within organizations. According to CISA, factory default software configurations for embedded systems, devices, and appliances often include publicly documented passwords. Although these default passwords are intended for initial testing, installation, and configuration operations, many organizations tend to leave them unchanged, enabling actors to use tools like Shodan to scan for internet-exposed endpoints and breach them using these default credentials. Manufacturers should change default passwords before deploying any of their systems in a production environment. Using unique credentials and rotating these passwords regularly can prevent actors from gaining access to systems. It’s also important to enable multifactor authentication, when possible, as this adds an additional layer of defense that an actor must get through. Read more at the Hacker News