CISA issues warning on UPS device vulnerabilities

June 24, 2022
As vendors continue to adopt connectivity to devices, stringent best practices for manufacturers must be adopted as well

Manufacturers are increasingly adding connectivity to their devices to leverage the benefits the Internet can offer. In recent years, uninterruptible power supply (UPS) vendors have added IoT capabilities to UPS devices, which provide battery backup power during power surges and outages. Recently, the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint warning with the Department of Energy for organizations to secure Internet-connected UPS devices from ongoing attacks.

In the case of the CISA’s recent warning, cybercriminals target these Internet-connected versions of UPS devices through unchanged default usernames and passwords in order to access the networks to which they are attached. If attackers are able to remotely take over UPS devices, they can be used to wreak havoc on a company’s internal network and steal data or, in worse case scenarios, cut power for mission-critical appliances, equipment or services.

The issue here is that IoT devices are often constrained, and manufacturers sometimes make tradeoffs when it comes to implementing strong security policies. Oftentimes, manufacturers use the factory-installed, default credentials that are meant to be updated after installation. In these cases, if common keys are used across millions of devices, there becomes a single point of failure if that credential is discovered and used to exploit other devices with the same authentication. We’ve seen similar issues with IoT-connected devices within the home, in cases where hackers are able to exploit home routers that keep default credentials because consumers don’t know or don’t decide to change the defaults. We’ve also seen compromised IoT devices be used in DDoS attacks which then can consume server or backend resources or change the intended behavior of the IoT device itself.

Best Security Practices for Utilizing Connected UPS Devices

As manufacturers continue to adopt connectivity to devices to reap the benefits of the internet, traditional security methods used to secure offline devices will not suffice. Below are a few best security practices manufacturers should be following to securely use connected UPS devices.

  • Change the default password immediately after commissioning the device:  Vulnerabilities in connected UPS devices are often caused by a failure to update factory-installed default credentials. UPS devices with factory-installed default credentials must be updated immediately after installation. Before redeploying the devices to live environments, administrators should add layers of special and complex character combinations to the new password.
  •  Implement multifactor authentication (MFA): Strong IoT authentication is needed so that connected IoT devices and machines can be trusted to protect against control commands from unauthorized users or devices. Authentication also helps prevent attackers from claiming to be IoT devices in the hope of accessing data on servers such as recorded conversations, images and other potentially sensitive information. Most IoT devices have an option for enabling two-factor or multi-factor authentication. This is a two-step authentication process that involves verifying your identity through a second device, such as a phone.
  •  Ensure each device has a unique credential: Sending protected data is an essential function of any IoT device. For this function to be effective, both users and manufacturers need to trust that the data they receive is authentic and intended for them. As more connected UPS devices emerge, each device should have some type of unique credential for identification. When it can be implemented, the use of asymmetric certificates is a very robust way to protect access to the IoT devices that are deployed in manufacturers’ or end-user networks. Many IoT devices use symmetric encryption, in which a single key gets used to encrypt and decrypt data. The fact that the data gets encrypted offers a secure layer of security, particularly compared to using hardcoded or default passwords, but sharing and storing the encryption key creates risk. That’s because if a malicious party intercepts the key, it can use it to encrypt and decrypt data. This means they could access the entire system and share data, and they can even function as a “man in the middle” by manipulating data without the manufacturer or end-users knowing. With asymmetric encryption, a unique public and private key pair is generated. Each one serves a different purpose (the public key decrypts data and can be shared openly, while the private key encrypts data, and must be protected), and helps resolve some of these challenges.
  •  ·Utilize certificate-based authentication: If UPS devices are being deployed in networks where additional layers of security can be leveraged, such as certificate-based authentication – which uses a digital certificate to identify a user, machine or device before granting access to a network – that will provide a much stronger security posture on top of the device’s built-in security policies.  Public key infrastructure (PKI) governs the issuance of digital certificates to provide unique digital identities for devices and consists of a tree-like structure of servers and devices that maintain a list of trusted root certificates. With certificate-based authentication, digital certificates are typically arranged in a chain of certificates in which each certificate is signed by the private key of another trusted certificate, and the chain must return to a globally trusted root certificate. This arrangement establishes a delegated chain of trust from the trusted root certificate authority to the final entity “leaf” certificate installed on the device through each intermediate certificate authority.
  •  Continuously monitor certificates and keys: Robust security comes down to implementation. Ensuring that key pairs, digital certificates and the PKI that serve as the root of trust is properly deployed – and continuously monitored – is critical. That’s because any static system is inherently insecure. Without ongoing lifecycle management, the digital certificates, key pairs and root of trust in use will weaken over time. Proper lifecycle management should first map every device to have an exact inventory of all unique identities and authentication in use. With a complete inventory, manufacturers can then monitor all of the certificates and keys to identify any potential threats and adjust accordingly. When devices are no longer in use, the relevant certificates and keys should be revoked.

 IoT devices hold much potential for positive change. But their ability to connect objects and share information also makes them intensely vulnerable. That’s because every point of connection that exists carries the risk of being hacked. Manufacturers who prioritize IoT device security will continue to bring innovative devices to market, all with the necessary level of security to build trust with customers and prevent damaging cyberattacks.

About the author: Ellen Boehm is the Vice President of IoT Strategy & Operations for Keyfactor.