Password and Credential Management for BAS
Poor credential management is a leading cause of BAS security incidents. This guide covers best practices for passwords, accounts, and secrets management.
The Problem
Common Credential Issues
| Issue | Risk |
|---|
| Default passwords | Easy compromise |
| Shared accounts | No accountability |
| Weak passwords | Brute force attacks |
| Passwords in documentation | Unauthorized access |
| No password rotation | Long-term compromise |
| Same password everywhere | Single breach = full access |
Real-World Impact
ICS-CERT and CISA advisories frequently cite:
- Default credentials left unchanged
- Hard-coded passwords in firmware
- Weak authentication mechanisms
- Lack of audit trails
Password Requirements
Minimum Standards
| Attribute | Requirement |
|---|
| Length | 12+ characters (16+ for admin) |
| Complexity | Upper, lower, number, special |
| Uniqueness | Different for each system |
| History | Cannot reuse last 12 passwords |
| Maximum age | 90 days (or longer with MFA) |
| Lockout | After 5 failed attempts |
Password Strength Examples
| Strength | Example | Time to Crack |
|---|
| Weak | password123 | Seconds |
| Medium | P@ssw0rd! | Hours |
| Strong | Tr0ub4dor&3#Horse | Years |
| Very Strong | Random 16+ chars | Centuries |
Account Management
Account Types
| Type | Purpose | Management |
|---|
| Service accounts | System-to-system | Long passwords, no interactive |
| Admin accounts | Configuration | Strong auth, limited use |
| Operator accounts | Daily use | Standard policy |
| Vendor accounts | Support access | Time-limited, audited |
Principle of Least Privilege
Each account should have only required access:
Engineer Account:
✓ Read/write configuration
✓ Acknowledge alarms
✗ User management
✗ Security settings
Operator Account:
✓ View graphics
✓ Acknowledge alarms
✓ Adjust setpoints (limited range)
✗ Configuration changes
✗ Programming
Eliminating Shared Accounts
| Instead Of | Use |
|---|
| "admin" shared by all | Individual admin accounts |
| "operator" for day shift | User-specific accounts |
| "contractor" for all vendors | Per-company, time-limited |
Default Credential Remediation
Discovery Process
- Inventory all devices with web interfaces or logins
- Document default credentials from manuals
- Test for defaults (authorized testing only)
- Prioritize by risk (internet-facing first)
Common BAS Default Credentials
Note: Change these immediately upon deployment.
| Platform | Common Defaults |
|---|
| Niagara | admin/admin, tridium/tridium |
| Metasys | MetasysSysAgent/[varies] |
| Many others | admin/admin, admin/password |
Remediation Steps
1. Change all default passwords
2. Rename or disable default accounts where possible
3. Create role-based accounts
4. Document in secure location (not in drawings)
5. Verify changes were applied
Password Storage
Where NOT to Store Passwords
| Location | Risk |
|---|
| Sticky notes | Physical access = compromise |
| Shared spreadsheets | Too many people can access |
| Email | Easily forwarded/leaked |
| Drawing submittals | Distributed widely |
| Unencrypted files | Easy to copy/steal |
Recommended Storage
| Method | Appropriate For |
|---|
| Password manager | Individual use |
| Enterprise vault | Shared/service accounts |
| Hardware security module | Critical secrets |
Password Manager Features
- Encrypted storage
- Access logging
- Role-based sharing
- Password generation
- Expiration tracking
Service Account Management
Best Practices
| Practice | Implementation |
|---|
| Long passwords | 25+ random characters |
| No interactive login | Service only |
| Minimum permissions | Only required access |
| Regular rotation | Annual minimum |
| Documented purpose | Why account exists |
API Keys and Tokens
| Guideline | Reason |
|---|
| Never embed in code | Code is often shared/leaked |
| Use environment variables | Easier to rotate |
| Implement expiration | Limit exposure window |
| Scope appropriately | Minimum required permissions |
| Audit usage | Detect misuse |
Multi-Factor Authentication
When to Require MFA
| Access Type | MFA Required? |
|---|
| Remote access | Yes |
| Admin accounts | Yes |
| Local workstation | Recommended |
| Service accounts | Not applicable |
| Public-facing | Yes |
MFA Options
| Method | Security Level |
|---|
| SMS code | Low (SIM swapping risk) |
| Authenticator app | Medium |
| Hardware token | High |
| Biometric | Medium-High |
| Smart card | High |
Vendor and Contractor Access
Temporary Access Process
1. Request submitted with justification
2. Approval from system owner
3. Time-limited account created
4. Access logged throughout
5. Account disabled at end of work
6. Activity reviewed
Vendor Account Requirements
| Requirement | Purpose |
|---|
| Individual accounts | Accountability |
| Expiration date | Automatic termination |
| Limited scope | Only needed access |
| Session logging | Audit trail |
| Notification on creation/use | Awareness |
Audit and Monitoring
What to Log
| Event | Purpose |
|---|
| Login success | Usage tracking |
| Login failure | Attack detection |
| Password changes | Change management |
| Account creation | Access control |
| Privilege escalation | Security monitoring |
Review Frequency
| Review | Frequency |
|---|
| Failed login attempts | Daily |
| Active accounts | Monthly |
| Admin account usage | Weekly |
| Service account inventory | Quarterly |
| Password age report | Monthly |
Incident Response
If Credentials Compromised
Immediate:
1. Change affected passwords
2. Disable compromised accounts
3. Review access logs
4. Check for unauthorized changes
Short-term:
5. Assess scope of compromise
6. Notify stakeholders
7. Implement additional controls
8. Document incident
Long-term:
9. Root cause analysis
10. Improve processes
11. Additional training
References
- CISA ICS-CERT Advisories - Vulnerability alerts
- NIST SP 800-63B - Digital Identity Guidelines
- CIS Controls - Security benchmarks
- Manufacturer security guides - Product-specific guidance