Skip to content

T0892 Change Credential

Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.

An adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device’s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions.

Additionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.

A chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. 1

Item Value
ID T0892
Sub-techniques
Tactics TA0107
Platforms Field Controller/RTU/PLC/IED
Version 1.0
Created 30 March 2023
Last Modified 07 April 2023

Mitigations

ID Mitigation Description
M0953 Data Backup Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans 4, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.
M0927 Password Policies Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.2
M0811 Redundancy of Service Retain cold-standby or replacement hardware of similar models to ensure continued operations of critical functions if the primary system is compromised or unavailable. 3

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content
DS0040 Operational Databases Device Alarm

References