Every industrial controller ships with a default username and password. Rockwell Automation, Siemens, Schneider Electric, GE, Honeywell. The credentials are printed in the installation manual. They are published in vendor knowledge bases. They are compiled in publicly available databases that anyone can search. The username is usually "admin." The password is usually blank, or "1234," or the name of the product.
This is not a secret. It is public knowledge. And if your PLC or RTU is reachable from the internet with those credentials still active, it is not a configuration problem waiting to be fixed. It is an active exposure that adversaries are already scanning for.
Why default credentials persist
The reason default credentials survive in production is not negligence. It is the way industrial control systems have been deployed for the last twenty years.
When a system integrator commissions a PLC at a water treatment plant, the priority is getting the process running. The chlorine dosing loop needs to work. The high-level alarm on the clearwell needs to trigger. The SCADA display needs to show the right values. Security configuration is not part of the commissioning checklist because, when most of these systems were installed, there was no network path from the internet to the controller. The PLC sat on an isolated serial network behind a locked cabinet door. Default credentials were irrelevant because physical access was the only access.
That assumption stopped being true when utilities connected their SCADA networks to the internet for remote monitoring. The PLC that was safe behind a serial cable in 2008 is now reachable over TCP/IP in 2026. But the credentials never changed, because nobody went back and changed them. The integrator moved on to the next job. The operator does not know the password can be changed. The IT provider does not touch control systems.
What an attacker actually sees
When a Rockwell CompactLogix PLC is connected to the internet, it responds to standard EtherNet/IP requests on port 44818. That response includes the device model, firmware version, and module configuration. No authentication is required to get this information. The device simply answers.
Public scanning infrastructure continuously indexes these responses. The result is a searchable database of every internet-connected industrial controller, organized by manufacturer, model, firmware version, geographic location, and hosting provider. An attacker does not need to scan your network. The work is already done.
With the device identified, the next step is connecting with the default credentials. For many Rockwell controllers, there is no password at all. The CIP protocol allows direct configuration changes without authentication unless the controller has been explicitly configured to require it. CVE-2021-22681 documents exactly this issue: an authentication bypass that allows an attacker to connect to the controller using Rockwell's own engineering software and make arbitrary changes to the logic program.
The default credential problem is not that the password is weak. It is that on many controllers, there is no password at all.
This is not theoretical
In February 2021, an attacker accessed the water treatment system in Oldsmar, Florida through TeamViewer, a remote desktop tool that was configured with a shared password across all operator workstations. The attacker attempted to increase sodium hydroxide levels to dangerous concentrations. The intrusion was caught by an operator who noticed the mouse moving on his screen.
In November 2023, Iranian state-sponsored hackers compromised a Unitronics Vision PLC at the Municipal Water Authority of Aliquippa, Pennsylvania. The device was internet-facing and configured with the factory default password. The attackers defaced the HMI screen with an anti-Israel message. The PLC controlled a booster pump station serving thousands of residents.
In January 2024, the same group targeted water systems in Muleshoe, Texas, causing an overflow at a water storage facility. The attack exploited the same class of internet-facing controllers with default or no authentication.
All three incidents share the same root cause. Internet-exposed control equipment with factory default credentials. Not sophisticated zero-day exploits. Not advanced persistent threat techniques. Default passwords on devices that should never have been reachable from the internet in the first place.
The CISA response
CISA has added multiple default-credential vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. Once a CVE appears on the KEV list, federal agencies are required to remediate it within a specified timeline. While the KEV mandate applies directly to federal systems, CISA has repeatedly urged critical infrastructure operators to treat KEV entries as their remediation priority list.
The advisory is clear. If you operate a PLC or RTU that is reachable from the internet, check whether it is running with factory default credentials. If it is, that device is compromised until proven otherwise.
What to do about it
The remediation path is straightforward, but it requires someone to actually do it.
- Inventory every controller on your network. Document the manufacturer, model, firmware version, and network address. If you cannot produce this list today, that is the first problem.
- Check for internet exposure. A passive vulnerability assessment can identify which of your devices are visible from the public internet without touching your network. This is the fastest way to find out what an attacker already knows about you.
- Change default credentials on every device. Use unique, complex passwords. Document them in a secure credential manager. If a device does not support authentication, isolate it behind a firewall that does.
- Segment your OT network. Control systems should not share a network path with office IT, guest WiFi, or the public internet. A properly segmented architecture prevents an attacker who compromises one system from reaching the controllers.
- Disable unnecessary services. If a controller does not need to be remotely accessible, turn off the remote access. If it does, put it behind a VPN with multi-factor authentication.
Federal grant programs including the SLCGP, DWSRF, and CWSRF can fund all of this work. The assessment, the remediation, the network segmentation, and the ongoing monitoring. The money is available. The first step is documenting what needs to be fixed.
If you operate a water or wastewater utility and you are not sure whether your control systems are running on default credentials, the honest answer is probably yes. That is not a judgment. It is the industry baseline. The question is what you do about it now that you know.