CISA Issues UPS Warning

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint statement with the Department of Energy (DoE) warning of attacks against internet-connected uninterruptible power supply (UPS) devices.

UPS devices provide emergency battery backup power during power surges and outages and are routinely attached to networks for power monitoring and routine maintenance.

In a warning published Tuesday, CISA and the DoE said threat actors had been gaining access to various UPS devices, often through unchanged default usernames and passwords.

“Oftentimes, manufacturers use the factory-installed, default credentials that are meant to be updated after installation,” Ellen Boehm, VP of IoT Strategy and Operations at Keyfactor told Infosecurity Magazine. 

“In these cases, if common keys are used across millions of devices, there becomes a single point of failure if that credential is discovered and used to exploit other devices with the same authentication.”

Describing the potentially devastating impact of a cyber-attack on UPS devices, Boehm said: “If attackers are able to take over UPS devices remotely, they can be used to wreak havoc on a company’s internal network and steal data or, in worse case scenarios, cut power for mission-critical appliances, equipment or services.”

Users of UPS devices were urged by CISA and the DoE to immediately enumerate all UPS devices and similar systems and ensure they are not accessible from the internet. For devices that must remain online, multi-factor authentication, a virtual private network and strong passwords should be used.

“Check if your UPS’s username/password is still set to the factory default. If it is, update your UPS username/password so that it no longer matches the default,” stated the warning, “This ensures that going forward, threat actors cannot use their knowledge of default passwords to access your UPS.” 

Boehm said that asymmetric certificates offered a robust way to protect access to IoT devices deployed in the manufacturer’s or end-users’ networks. 

“With asymmetric encryption, a unique public and private key pair is generated,” explained Boehm, “Each one serves a different purpose (the public key decrypts data and can be shared openly, while the private key encrypts data, and must be protected), and helps resolve some of these challenges.”

Leave a Reply