The Department of Energy and the US Cybersecurity and Infrastructure Security Agency have issued a joint warning to American organizations about cyber attacks on Internet-connected uninterruptible power supplies (UPS).
“The Cybersecurity and Infrastructure Security Agency (CISA) and the Ministry of Energy have become aware of attackers gaining access to various Internet-connected uninterruptible power supplies (UPS), usually using unchanged default usernames and passwords. Organizations can protect their UPS, providing power in case of emergencies when conventional power supplies are unavailable, from cyber attacks by disconnecting the management interface from the Internet,” the notification says.
Organizations are advised to identify uninterruptible power supplies in their networks and make sure that they are not accessible via the Internet. If it is impossible to avoid connecting the management interface to the Internet, administrators are advised to protect devices using a VPN, two-factor authentication and strong passwords. It is also recommended to check whether factory credentials are being used on devices and implement timeout/lockout policies in order to prevent attacks on UPS and other systems.
In addition to factory credentials, attackers also use critical vulnerabilities to break into uninterruptible power supplies, allowing them to be disabled remotely. For example, hackers exploit several vulnerabilities known collectively as TLStorm and affecting SmartConnect and Smart-UPS devices from APC, the “daughter” of Schneider Electric.