I just had a look at their web site to see what the product is. It's a bog standard remote I/O card. These sorts of products used to use RS-485 or proprietary media. Manufacturers have been switching to Ethernet in order to use standard chip sets, cables, connectors, and other hardware.
You don't put these things on the Internet. They're not that type of module. They're intended to be embedded in a machine (which can be a very large machine) on their own network. The reason they use a network connection is to reduce cabling. The "old" way of doing this would have been to run masses of individual wires from the valve or switch back to racks of I/O cards mounted in a central cabinet. That was expensive, labour intensive, and unreliable (try tracing a flaky connection or signal cross-talk from junction box to junction box some time - not fun). Then they went to proprietary networks, which were expensive, often unreliable, and poorly supported. Now you just run power and an Ethernet cable to the module. There's an embedded switch in each module so you can daisy-chain them, just like you would have with RS-485.
The web interface will be to let you configure the module for such things as address and a few other options. Of course if you have access to the network you can simply ignore the web interface and send standard industrial commands to it to do whatever you want with the I/O without needing any passwords. This is why I have to laugh at the drama in some of these types of stories. Security for these types of devices is supposed to be physical isolation. Don't hook them up to anything that isn't supposed to be able to talk to them. I very much doubt that most customers even bother to change the default passwords anyway. They're not the IoT.
For those who think this sort of thing is a big problem, then here's something for you to worry about. Did you know that you can plug a keyboard, mouse, and monitor into any desktop PC without any security authorisation at all? Astonishing, isn't it! Industrial I/O devices are a machine's equivalent to keyboards and monitors. If you decide to hook them up to the Internet, then it's up to you to provide the necessary security by some external means. Industrial I/O vendors are not in the security business and they shouldn't try to be. If you need security, go to a security specialist and add the security on as a separate firewall/filter/whatever box (there are companies that do this).
Biting the hand that feeds IT
