CISA, DOE warn that hackers are gaining access to various internet-connected UPS devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) issued a warning that cybercriminals are gaining access to a variety of internet-connected UPS devices, often through unchanged default usernames and passwords. The advisory has asked organizations to mitigate against such attacks to the uninterruptible power supply (UPS) devices by immediately removing management interfaces from the internet.

“In recent years, UPS vendors have added an Internet of Things capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance, and/or convenience,” the CISA and DOE wrote in their advisory on Tuesday.

UPS devices provide clean and emergency power in a variety of applications when normal input power sources are lost, according to the advisory. “Loads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center). Various different groups within an organization could have responsibility for UPSs, including but not limited to IT, building operations, industrial maintenance, or even third-party contract monitoring service vendors,” it added. 

Earlier this month, Armis researchers discovered a set of three critical vulnerabilities in APC Smart-UPS devices, dubbed TLStorm. If exploited, these vulnerabilities can allow attackers to remotely manipulate the power of millions of enterprise devices, take over Smart-UPS devices, and potentially carry out extreme cyber-physical attacks across critical installations, including server rooms, medical facilities, OT/ICS environments, and residences, the company added.

“After years of prodding and multiple UPS cyber incidents, CISA has finally stepped up and issued guidance on some aspects of UPS cyber vulnerabilities,” cybersecurity expert Joe Weiss wrote in a LinkedIn post on Tuesday. “This is certainly welcome progress. However, more work is still needed to address other aspects of insecure building and data center control systems: insecure process sensors, Power Distribution Units, insecure UPS protocols such as Simple Network Management Protocol (SNMP), Modbus, and BACnet (even with the use of VPNs), etc. Hopefully, CISA extends their work to these issues as well,” he added.

Weiss had earlier observed that “there is minimal guidance for cyber securing UPSs even though compromising the UPSs can directly lead to data center equipment damage,” he wrote in a blog post. Specifically, SNMP interface cards allow shutting down UPSs, scheduling shutdowns and restarts of the UPS; turning off power to selected UPSs and draining or disconnecting backup batteries. Remotely changing UPS settings, whether malicious or unintentional, can lead to fires or battery chemical releases that can cause facilities to be evacuated, Weiss added.

The latest CISA-DOE advisory suggested that organizations immediately enumerate all UPS devices and similar systems, and ensure they are not accessible from the internet. 

In the rare situation, where a UPS device or similar system’s management interface must be accessible from the internet, these organizations must ensure that compensating controls are in place, such as ensuring that the device or system is behind a virtual private network (VPN), and enforcing multi-factor authentication. The advisory also recommended adopting strong, long passwords or passphrases, in accordance with National Institute of Standards and Technology (NIST) guidelines.

In addition, organizations must check if their UPS device’s username/password is still set to the factory default. If it is, then it must be updated, so that the UPS username/password no longer matches the default. The measure helps to ensure that going forward, hackers cannot use their knowledge of default passwords to access the UPS. Vendors may provide additional guidance on changing default credentials and/or additional recommended practices.

Organizations have also been advised to ensure that credentials for all UPSs and similar systems adhere to strong password length requirements and adopt login timeout/lockout features.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.