The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) have published a joint advisory to warn US firms about securing their internet-connected uninterruptible power supply or UPS devices against cybersecurity attacks.
Companies use UPS devices for emergency power backup solutions, especially in mission-critical environments like hospitals, industrial facilities, data centres, and server rooms. These environments require an internet connection to perform daily tasks like routine maintenance and power monitoring. However, these activities could lead to exposure to cyberattacks.
The federal agencies’ joint statement explained that cybercriminals often take advantage of the unchanged default usernames and passwords of companies’ UPS devices to infiltrate them and launch attacks.
For this reason, the agencies advised that companies must remove management interfaces from the internet to mitigate potential attacks. It is also recommended to find all UPSs or other emergency power systems within an organization’s servers and safeguard its connectivity from the internet.
Still, the federal agencies are aware that instances happen, such as the companies’ management interfaces requiring an internet connection; hence, it is rather advised that these devices are set behind a VPN (Virtual Private Networks) with multifactor authentication (MFA) enabled and that strong passwords are established.
It is also highly instructed that the factory default credentials are not being used on the UPSs since these are the hackers’ first options in attempting to intrude into the companies’ systems.
Aside from all the recommendations mentioned, US firms are also advised to have auto lockout or login time-out security measures as another way to stop the UPS devices’ cyberattacks.
There are several critical security vulnerabilities that hackers are exploiting to deploy remote infiltration and takeovers of the UPSs, allowing them to control these sensitive systems remotely. An example of this incident is when a set of zero-day flaws called TLStorm had allowed hackers to control UPS devices remotely and had either burned them out or disabled their powers.
