The Energy Department and the US Cybersecurity and Infrastructure Security Agency (CISA) published guidelines this week on preventing attacks on UPS units.
Threat actors are targeting UPS units that are linked to the net, typically using the original login authorizations, and the two government agencies advise disabling access to the net by the information system of these units immediately.
UPS devices are connected to networks to monitor power, routine maintenance, or convenience. They are designed to supply immediate power when regular sources of power are disrupted.
A feature adopted by a large number of manufacturers in the recent past is the addition of the internet and related features to their units. It has simplified administrative functions and enabled remote checks. As administrators celebrate these added values, the devices have become vulnerable to malicious attacks.
UPS units were mostly offline until recently, humming away under desks or in equipment and server rooms, waiting for the chance to fulfill their duty in the event of a power outage. Many manufacturers, however, have incorporated internet connectivity and other capabilities into their UPS equipment in recent years to enable remote monitoring and management. These features are convenient for administrators, but they may also make the devices appealing targets for attackers looking for easy access to corporate networks.
The question then is, how does this happen? Hackers obtain access “usually through passwords and usernames that have never been changed,” the same applies to numerous Internet of Things (IoT) devices like smart-lighting structures and routers. Leaving the original credentials in IoT appliances and devices is not a new risk. It’s also a challenge that serves as a reminder to administrators of the value of hardening network controls.
UPS units are a crucial backup of power supply because of the costs of the interlude when staff devices and vital business applications can’t link to the internet. In the medical world, life may hinge on a UPS in the event of a power outage because most medical devices are powered.
UPSs may safeguard tiny loads, like a few servers, huge loads, similar to a whole building, or gigantic loads, equal to a data processing center, as reported by CISA.
The subject of who is required to handle UPS systems, which are only required amid a power loss, is one problem in an organization. An establishment may have different internal divisions responsible for the devices, including although not restricted to the IT departments, industrial maintenance, operations in the building, or contract monitoring service suppliers usually third parties, as stated by CISA.
CISA makes no mention of recent assaults, nor does it assign these dangers to specific culprits. But, in this scenario, the emphasis is on remedial steps or actions.
As a preventative measure against potential attacks that target UPS systems, businesses should take inventory of all units on their premises and ensure their disconnection from cyberspace.
If there isn’t any other alternative for accessing a UPS unit’s management except through the net, CISA recommends the following controls:
- Incorporate a VPN.
- Adopt authentication using many factors
- Change the default passwords and usernames on your UPS devices
- Use compelling, long, passphrases or passwords that cannot be guessed. This is in conformance with guidelines from the National Institute of Standards and Technology (check out XKCD 936, CISA notes for a humorous description of password strength).
- Make use of lockout features or embrace login timeout
- All UPS units and related systems should observe the password criteria of having a solid length.
The dangers that UPS devices face are far beyond theoretical. Armis, a security firm, recently revealed three severe flaws in several of APC’s (a sister company of Schneider Electric) Internet-connected UPS models. The devices’ TLS implementation has been infected with two bugs, allowing a potential attacker to circumvent the authentication method.
A gap in the security of the equipment might allow the hackers to change the programming of the units and gain a long-term presence on the overall system.
CISA requests that organizations report any incidents or unusual activities with UPS devices.