This guest blog was contributed by Gnanaprakasam Pandian, Chief Product Officer and Co-Founder, Ordr
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) recently sent out an alert about potential attacks against internet-connected uninterruptible power supply (UPS) devices, by means of default usernames and passwords.
Most security and IT teams may not think of UPS devices as vulnerable, smart IoT devices. In fact, they are ubiquitous, cloud-connected, and enable emergency backup power for critical physical infrastructure. When the flow of electricity is interrupted, UPS devices provide backup power until power is restored, generators are activated, or devices are shut down properly. When power is restored, UPS systems protect devices from potentially damaging power surges.
Because of the critical role that UPS devices play, they are prevalent in almost every organization and vertical. In fact, in some organizations, these devices may be under the purview of the facilities team. But make no mistake -- an attack exploiting vulnerabilities on smart UPS devices can have severe consequences.
Imagine being on the operating table and the power goes out - and the UPS doesn't kick in right away!
What should organizations do about this CISA alert? There are four essential steps that IT, security or facilities teams need to be implementing right away:
Discover these UPS devices: It is vital to gain visibility into every single UPS device in the network. Most organizations do not have an accurate real-time inventory of all devices, so use tools that can automate this process and deliver granular classification and context such as make, model, serial number, and more.
Understand the risks these UPS devices bring: Once you’ve discovered these devices, it’s important to identify the ones with risks. CISA’s alert specifically calls out that devices are being attacked through unchanged default usernames and passwords, so any devices still using default usernames and passwords should be updated immediately. There have also been vulnerabilities reported with specific UPS devices that should be patched right away.
Consider whether you need to disconnect UPS devices with internet connectivity to mitigate risks. CISA recommends that certain devices be disconnected from the Internet, or be placed behind compensating controls, like a VPN with multi-factor authentication enforced.
Baseline behavior: In addition to Step 2, you should baseline the normal behavior patterns for UPS devices, and map where they are connected in the network (both their physical and network location). This addresses two objectives. First, baselining communications patterns and device behavior are crucial to identifying anomalies. UPS devices have specific functions, and their behaviors are deterministic regardless of the make and model. Devices behaving abnormally provide an early indication of an attack in progress, or of a device that has already been compromised. Second, knowing where devices are connected is important during an incident to immediately be able to locate and isolate them to prevent lateral movement.
Generate segmentation policies: With all UPS devices accounted for, and their behavior monitored/baselined, IT and security teams can then generate and assign appropriate zero trust policies for each device. These policies can control how each device communicates and what resources it can and cannot access.
Cyberattacks to critical devices like UPS can be extremely disruptive and extremely disruptive, particularly in healthcare systems and manufacturing environments. One vulnerable UPS device alone can become a dangerous attack vector. Every organization should be vigilant and stay on top of this CISA alert by implementing the steps above.