'Engineers may have legitimate reasons for downloading such password-cracking software.'
No, no they don't.
I'd be quite rightly relieved of my job if I did that.
Industrial engineers and operators are being lured into running backdoor malware disguised as tools for recovering access to work systems. These programs offer to crack passwords for specific programmable logic controllers, according to security shop Dragos this month. According to their online ads, the cracking tools can …
This sort of thing has been very common with industrial control software for at least 20 years that I can recall. Downloads of password crackers and cracked versions of (otherwise very expensive) copy protected programming software has been widely known to generally come full of all sorts of malware.
That anybody would fall for this shows if anything the naivety of the targets.
The main reasons for needing password crackers by the way are:
The above doesn't cover every reason, but it probably covers 99 per cent of cases.
Fortunately, passwords are only very rarely used on PLCs, as there's seldom any point to them. Out of many hundreds of PLCs that I've worked with, I can't recall seeing a password on any of them.
Any access control is usually handled by the fact that you typically need physical access to the PLC, a copy of the programming software, and a knowledge of how to use all of this in order to do anything with it. Some programming software uses access control passwords as part of the software rather than in the PLC itself.
Someone who was really determined to change the program in a PLC and had the physical access to it could just wipe the memory and reload a new copy of the program reconstructed from printouts.
Manufacturer's likely responses: (1) None, as they've gone out of business; (2) "We don't support that product any more."; (3) "You first must have a current, paid-up support contract with us. If you don't, we'll allow you to purchase one with a special, extortionate fee; (4) "Provide a copy of your proof-of-purchase from us (not from any third party) ..."
That said, everyone ought to know by now that warez and serial number/password-cracker programs host more virii and malware than a Glaswegian pub's urinal.