Jason is spot on in his last post on default and easily guessed passwords. Extending Jason’s rant a bit here . . . passwords don’t work.
This isn’t news; we all live with the problem and have our own work around because humans can’t remember large numbers of frequently changing complex passwords.
There has been encouraging progress in the move to two-factor authentication for emergency remote access, primarily with the SecurID token. It’s time for two-factor to be used more widely in control systems. The operators will be the last to adopt two-factor, and this makes sense because they are typically in a physically secure control center that is manned and monitored 24×7. Asset owners should be looking to require two-factor for workstations and servers outside the control center and for administrators who have significant privileges.
There are pro’s and con’s to integrating control system user management with Microsoft’s Active Directory. One of the pro’s is the control system now supports almost every type of two factor authentication.