Easily guessed default passwords can be a malicious hackers’ easiest way to infiltrate a target. And all too often, according to research released Wednesday, operators of critical infrastructure companies aren’t updating off-the-shelf security credentials in internet devices connected to industrial systems.
“We’re seeing a lot of the ‘admin1234,’ meaning that [hackers are] still going to be using default credentials in hopes that no one is changing the credentials for IoT devices — which is pretty accurate,” said Roya Gordon, security research evangelist at Nozomi Networks, a cybersecurity firm that specializes in industrial security.
The lack of the most basic security precaution is especially alarming in critical infrastructure. These organizations operate chemical plants, pipelines, utilities, hospitals and other industries that support essential functions of daily life.
Critical infrastructure cybersecurity has become such a concern in the U.S. that the Biden administration has made it a top national security priority. The White House is expected to release an updated national cybersecurity strategy in the coming weeks and the administration is likely to call for mandatory cybersecurity rules for particularly vulnerable industries, according to The Washington Post.
While much of the critical infrastructure that is owned and operated by the private sector is not heavily regulated for cybersecurity, calls for tougher mandates have grown in recent years following digital assaults such as the Colonial Pipeline ransomware attack.