What must be done to known default passwords according to CIP-007 R5?

The requirement under CIP-007 R5 emphasizes the importance of securing cyber assets by addressing known default passwords. The correct approach is to change these default passwords in alignment with the capabilities of the cyber assets themselves. This is crucial because default passwords are widely known and can easily be exploited, posing significant security risks. By changing the passwords, organizations enhance their security posture and ensure that access to critical systems is restricted to authorized users only.

Furthermore, changing passwords as per the cyber asset capability means taking into account the specific features and functions of the devices in use, which helps in implementing strong password policies appropriate to each system. This tailored approach allows for better management of credentials while maintaining system integrity and confidentiality.

Other approaches, like leaving the default passwords unchanged or changing them without proper documentation, overlook the fundamental goal of cybersecurity, which is to protect critical infrastructure from unauthorized access and potential threats. Additionally, creating a public database of these passwords is a counterproductive measure, as it would facilitate attackers rather than safeguard systems.