Mirroring that stance, Grayson Milbourne, the security intelligence director at Webroot, told CSO that default passwords are a vulnerability when left on the system, and that while there should be an initial, default method to access a new device, passwords should be immediately changed after the first login.
"It shouldn't just be policy, but a required action on the part of the software once a user logs in. If default passwords remain unchanged or if they're guessable, they can be accessed and harvested through brute force attacks. The operational security for industrial systems is far behind corporate network protection, and the potential damage to our infrastructure far supersedes the damage that any one company could sustain," Milbourne said.
Kyle Adams, the Chief Software Architect for Junos WebApp Secure at Juniper Networks, told CSO that allowing default passwords to remain just isn't advisable. While guidance in a manual helps reduce the number of vulnerable installs, it still leaves room for people to make mistakes "likely leading a significant percentage of systems wide open for exploit."
"Why risk having any be open? They should just force them to set a new password on the first boot. Or at the very least, have it generate a random password when it first installs and display that password to the installer."
CSO encourages you to weigh-in on this topic, leave a comment below tells us why you agree, or disagree, with stance taken by ICS-CERT. Is documentation enough, or should there be additional processes?
The sources contacted for this article, who were able to respond on the record by deadline, all agreed that default passwords are an issue unto themselves, and need to be taken care of. Those who spoke on background still disagreed with ICS-CERT, so we'd be interested in hearing from the other side of that argument. Is there anyone who thinks default passwords are not a vulnerability?
Sign up for Computerworld eNewsletters.