THE #1 AV NEWS PUBLICATION. PERIOD.

Like an AV Bridge Over Troubled Water, These Cybersecurity Guidelines Will Ease Your Mind

cybersecurity tips tricks

Back in 2021, I wrote a rAVe column entitled “SecuringAV: The Remote Desktop Attack on a Florida Water Treatment Plant.” In this article, I talked about the different forms of infrastructure being targeted by cyberattacks, and connected the attack on the water treatment plant to similar vulnerabilities in AV systems. I also shared some lessons learned from the attack with our readers, about the human element.

Since then, a number of water treatment facilities have been victims of cyberattacks, many of them sharing the same devices, with the same vulnerabilities, making it rather easy for the attackers.

“Following a recent cyberattack at a Pennsylvania water utility, federal officials have confirmed that multiple additional water utilities in the US running the same industrial equipment have been breached by hackers […] at ‘less than 10’ water facilities in different parts of the US […]. In each case, the equipment targeted was the same […] likely by breaking into internet-connected devices with default passwords.”

Wait a second, changing the devices’ default passwords … I think I read about that somewhere on rAVe [PUBS] …

Jan. 26, 2016, Leonard Suskin, “That AMX Backdoor”

“How many installed processors are out in the wild with the admin passwords still set to the factory default?”

Nov. 4, 2016, Scott Tiner, “Security Wake-Up Call”

“Are all the default passwords changed?”

Dec. 2, 2016, Hope Roth, “Practicing Safe Automation”

“Don’t use default passwords.”

Fast forward five years later. In 2021, Scott Tiner, again, in “Lessons From the SolarWinds Hack,” said, “I sure hope that integrators/programmers and installers have always followed rules about passwords, like changing the default, not using the same one across different customers, safely storing them in a password safe, etc.”

Then, just a few months ago, in December of 2023, I discussed the need for using unique passwords in “Highlights From Cybersecurity and Infrastructure Security Agency’s Cybersecurity Advisory.”

Avoid Reusing Passwords

Earlier this month, Megan A. Dutta warned readers about easily compromised passwords in her article, “Exposing the Most Vulnerable Passwords of 2024.”

See related  SolidRun Unveils Hailo-15H System-on-Module

Scott Tiner talked about passwords again this year, in his article, “Security Versus Convenience.” Scott also noted how Chinese hackers are targeting U.S. Infrastructure, which brings us back to our discussion about the water treatment facility attacks. This is happening so much, the United States government has recently issued a document, “Top Cyber Actions For Securing Water Systems,” with basic steps I believe that can be easily applied to most AV systems and AV integration firms.

Try it. Just swap “water” or “OT” for “AV.” For example, Step 3 is “Change Default Passwords Immediately.”

“Require unique, strong, and complex passwords for all water [AV] systems, including connected infrastructure. Weak default or insecure passwords are easy to discover and exploit, and they may allow cyber threat actors to make changes to a water [AV] systems’ operational processes. This can negatively impact public health and safety. Change default or insecure passwords and implement multifactor authentication (MFA) where possible. Focus on deploying MFA to IT infrastructure, such as email, to make it difficult for threat actors to access OT [AV] systems. Consider asking manufacturers to eliminate default passwords.”

Here are the other steps listed in the Top Actions for Securing Water [AV] Systems document:

  • Reduce Exposure to the Public-Facing Internet
  • Conduct Regular Cybersecurity Assessments
  • Conduct an Inventory of OT/IT [AV/IT] Assets
  • Develop and Exercise Cybersecurity Incident Response and Recovery Plans
  • Backup OT/IT [AV] Systems
  • Reduce Exposure to Vulnerabilities [by patching]
  • Conduct Cybersecurity Awareness Training

Chances are, you are already providing some form of employee training that could easily include cybersecurity awareness modules. You can also work security into your end-user training, teaching them how to have more secure meetings, and how your technology helps to protect their privacy.

There are plenty of free resources in the PDF guidelines and online at CISA.gov and here on rAVe!

Now, please, for crying out loud, go change those default passwords! Do NOT make us ask you again!

Top