T0812 Default Credentials
Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. 1
Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.
| Item | Value |
|---|---|
| ID | T0812 |
| Sub-techniques | |
| Tactics | TA0109 |
| Platforms | None |
| Version | 1.0 |
| Created | 21 May 2020 |
| Last Modified | 16 April 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0031 | Unitronics Defacement Campaign | During the Unitronics Defacement Campaign, the CyberAv3ngers discovered and exploited default credentials found on many Unitronics Programmable Logic Controller (PLC) Human-Machine Interface (HMI). For many of these devices, the default password was set to ‘1111’.23 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0801 | Access Management | Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access. |
| M0927 | Password Policies | Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices |
References
-
Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ↩
-
DHS/CISA. (2023, December 1). IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Retrieved March 25, 2024. ↩
-
DHS/CISA. (2023, November 28). Exploitation of Unitronics PLCs used in Water and Wastewater Systems. Retrieved March 25, 2024. ↩