The US Cybersecurity and Infrastructure Security Agency (CISA) is urging technology manufacturers to enhance their security measures by eliminating default passwords in their products. This is crucial in preventing malicious cyber actors from exploiting these passwords to gain unauthorized access to organizations and compromise critical infrastructures in the US.
Description
CISA advises manufacturers to take ownership of customer security outcomes and establish an organizational structure and leadership to achieve these goals [3] [4]. By implementing these principles [3] [4] [5], manufacturers can prevent the exploitation of static default passwords in customers’ systems [3] [4] [5]. Default passwords are often targeted by malicious cyber actors [2] [5], including IRGC-affiliated groups [5]. To address this issue [5], CISA recommends implementing unique setup passwords for each product or using temporary setup passwords that become obsolete after configuration [2]. The agency stresses the vulnerability created by default passwords and emphasizes the need for manufacturers to adopt alternative password protection technologies such as multifactor authentication and unique setup passwords [3]. Relying on customers to change their passwords is insufficient [3], and concerted action by technology manufacturers is necessary to address the severe risks faced by critical infrastructure organizations [3].
CISA is committed to prioritizing cybersecurity throughout the manufacturing chain and plans to provide more alerts focused on secure-by-design outcomes for the technology industry. Additionally, CISA has released a new advisory outlining security countermeasures for healthcare and critical infrastructure entities to protect against malicious activity and reduce the risk of domain compromise [6]. Recent cyber attacks targeting critical infrastructure in Israel have been attributed to a Lebanese threat actor with connections to the Iranian Ministry of Intelligence by the Israel National Cyber Directorate (INCD). Therefore, CISA encourages technology manufacturers to read and implement the guidance to reduce harm globally [4].
Conclusion
By following CISA’s guidance, manufacturers can protect customers by providing secure passwords and reducing the likelihood of unauthorized access. The elimination of default passwords and the adoption of alternative password protection technologies are crucial steps in mitigating the risks faced by critical infrastructure organizations. CISA’s efforts align with their goal of improving cybersecurity and protecting against potential vulnerabilities in software products [1]. It is essential for technology manufacturers to prioritize security measures and collaborate with CISA to ensure a safer digital environment.
References
[1] https://insidecybersecurity.com/daily-news/cisa-issues-secure-design-alert-manufacturers-eliminating-default-passwords
[2] https://www.bitdefender.com/blog/hotforsecurity/cisa-urges-tech-sector-to-move-beyond-default-passwords/
[3] https://www.meritalk.com/articles/cisa-tells-manufacturers-to-eliminate-default-passwords/
[4] https://www.cisa.gov/news-events/alerts/2023/12/15/cisa-secure-design-alert-urges-manufacturers-eliminate-default-passwords
[5] https://www.techspot.com/news/101242-tech-manufacturers-must-eliminate-default-passwords-cyberdefense-agency.html
[6] https://thehackernews.com/2023/12/cisa-urges-manufacturers-eliminate.html
