CIP-007 R5.4 mandates the changing of what type of passwords?

The requirement under CIP-007 R5.4 specifically addresses the need to change default passwords for critical cybersecurity controls. Default passwords are those that come pre-set from the manufacturer or software provider, and they are often widely known and easily accessible, making them a significant security risk if not changed. By mandating the change of default passwords, the standard aims to ensure that systems are protected from unauthorized access, as these passwords can be an entry point for malicious actors.

Changing default passwords is crucial because many devices, applications, and systems will operate with these unchanged passwords unless specifically modified. This practice of changing such passwords is part of an overall strategy to implement stronger access controls and reduce vulnerabilities in systems that support the reliability and security of the electric grid.

The other choices do not focus on the critical importance of addressing default passwords, thus making the correct answer particularly significant in the context of the standard's intent.