Cyberattackers Target UPS Backup Power Devices in Mission-Critical Environments

The active attacks could result in critical-infrastructure damage, business disruption, lateral movement and more.

Cyberattackers are targeting uninterruptible power supply (UPS) devices, which provide battery backup power during power surges and outages. UPS devices are usually used in mission-critical environments, safeguarding critical infrastructure installations and important computer systems and IT equipment, so the stakes are high.

That’s according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy, which warned that malicious types are going after internet-connected versions of UPS via default usernames and passwords, mostly – though vulnerabilities, like the TLStorm bugs disclosed earlier this month – are also in the attacker toolbox.

“In recent years, UPS vendors have added an Internet of Things [IoT] capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance and/or convenience,” according to a Tuesday alert from CISA (PDF). “Loads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center).”

If attackers are able to remotely take over the devices, they can be used for a host of nefarious ends. For instance, bad actors can use them as a jumping-off point to breach a company’s internal network and steal data. Or, in a grimmer scenario, they could be used to cut power for mission-critical appliances, equipment or services, which could cause physical injury in an industrial environment, or disrupt business services, leading to significant financial losses.

Further, cyberattackers could also execute remote code to alter the operation of the UPSs themselves, or physically damage them (or the devices connected to them).

“It’s easy to forget that every device connected to the internet is at increased risk of attack,” Tim Erlin, vice president of strategy at Tripwire, noted via email. “Just because a vendor provides the capability to put a device on the internet, doesn’t mean that it’s set up to be secure. It’s up to each organization to ensure that the systems they deploy are configured securely.”

An Easy Fix

Thus, those responsible for UPS upkeep (which CISA noted could include IT staff, building operations people, industrial maintenance workers or third-party contractors from monitoring services) have an easy fix for this one: Enumerating all connected UPSs and similar systems and simply take them offline.

If maintaining an active IoT connection is a requirement, admins should change the default credentials to a strong user-name-and-password combo – and preferably, implement multifactor authentication (MFA) too, CISA added. And other mitigations, according to CISA, include ensuring UPSs are behind a virtual private network (VPN), and adopting login timeout/lockout features so that the devices aren’t continually online and open to the world.

“The use of a default username and password to maliciously access a system isn’t a new technique,” said Erlin. “If you’re responding to this advisory by updating the credentials for your UPS systems, take the follow-up step to ensure that other systems aren’t using default credentials as well.”


Leave a Comment

Your email address will not be published. Required fields are marked *