October is Cybersecurity Awareness Month. The next few weeks is a time dedicated to deepen our understanding of current risks in our environment and also to share the daily actions you can take to reduce risks when online. One of the core tips from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is to protect your environment is the Use of Strong Passwords
Aimed at the general public, CISA reminds folks to create long, random, unique passwords with a password manager to strengthen your accounts and make it harder for hackers and phishing attacks to get past. Passwords such as ‘password’, ‘12345’, or even your birthday are not safe enough, and can be easy to guess by malicious people looking to break into your accounts. Therefore, CISA gives us these helpful steps to make sure your password is strong enough:
CISA recommends creating and storing strong passwords with the help of a "password manager" to keep track of each one. These long strings of numbers and letters are near impossible to guess and can prevent people from stealing information and data.
Does password management matter in OT?
Absolutely. While these tips are great for the general public to protect bank accounts, and other pieces of personal information, they can also be helpful when reviewing your business’s OT environment. These protections are pretty embedded in IT culture, but in OT, cyber systems in the operational environments may not be managed as closely and regularly.
Attacks on Operational Technology (OT) and critical infrastructure have increasingly targeted weak or compromised passwords as an entry point. While these systems were once more isolated from the internet, they are now more connected through IT-OT integration, making password-based vulnerabilities a key risk. For example, in the Oldsmar, Florida water treatment facility attack in 2021, the attackers used compromised credentials to remotely access a system controlling water treatment processes.
At Industrial Defender, we believe password upkeep is just a part of daily OT Asset Management responsibilities. A key aspect of OT asset management is maintaining a comprehensive inventory of all devices within the network WITH on-going monitoring of the granular configuration details for these assets and their software. For example, when new customers implement Industrial Defender to improving understanding and monitoring of their OT environments, not only do they get a rich inventory, one of the first initial findings remediated are all the devices’ user accounts and their password configurations that do not meet their password policies, such as password complexity or age. Related, Industrial Defender monitoring will also show failed logins that could be indicative of suspicious adversarial activity. Passwords of course are just a small slice of data amongst all the hardware, software and firmware configuration details as well as logging data. However it should be part of a broader strategy to harden and monitor OT security.
So similar to the general password tips shared by CISA, leading OT security frameworks like NERC CIP and IEC/ISA 62443 echo strong password management practices, emphasizing unique user accounts, password complexity, regular password changes, and multi-factor authentication for higher-risk systems.Taking daily actions to protect your environment should not be exclusive to IT circumstances, rather we should be doing more day-to-day to safeguard against suspicious activity. If you're having trouble keeping up with everything going on in your OT environment, Industrial Defender may be the OT security you've been looking for.
For more on monitoring password use as part of your greater OT asset management practice, visit: https://www.industrialdefender.com/solutions/ot-asset-management
