Conventional guidance highly recommends the use of unique credentials for each site and service, including ICS/OT assets to minimize the risk of compromise. Many cyber threat actors are notorious for leveraging valid credentials to gain unauthorized access. Furthermore, it’s problematic when those valid credentials, especially privileged ones, are shared and/or reused across sites or services – regardless of whether the accounts are business or personal. Likewise, it’s even more problematic when logins are shared across both business and personal profiles. But when credentials are shared/reused across IT and OT resources, the results can lead to a lot more than data or financial loss and makes the threat actor’s job a lot easier.

On the surface, the use of valid credentials offer a means for actors to hide in plain sight and remain undetected for a significant amount of time. Likewise, the use of valid credentials often affords the attacker the ability to maintain persistence within a network or elevate privileges to critical systems. When attackers have access to valid credentials they are able to leverage native functionality and existing tools for stealthy operations and may not need to deploy malware or other attack tools that could be detected. According to CISA, leveraging valid accounts was the most successful initial access vector for its assessment teams to discover and use to gain access to a range of valid accounts on assessed water/wastewater systems and SLTT entities. This data also corroborates findings in joint Cybersecurity Advisory AA22-137A, Weak Security Controls and Practices Routinely Exploited for Initial Access.

In similar observations, Dragos reports that 44% of its services engagements in 2021 included findings related to shared credentials from accounts that are utilized in both the IT and OT networks, including default accounts and vendor accounts. While this practice is commonly observed across many critical infrastructure sectors, Dragos notes this occurs most frequently in rail, water, and food & beverage. Dragos also assesses that combined with observations from its 2021 Year in Review, such as 77% included a finding of improper network segmentation, the potential consequences of shared credentials being exploited increases significantly. Thus, combining these two critical findings may enable an adversary to easily traverse to ICS assets using the credentials obtained from IT accounts. For more on Minimizing the Consequences of Shared Credentials Across OT and IT Environments, visit Dragos.