CISA Issues UPS Warning – Infosecurity Magazine

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint statement with the Department of Energy (DoE) warning of attacks against internet-connected uninterruptible power supply (UPS) devices.

UPS devices provide emergency battery backup power during power surges and outages and are routinely attached to networks for power monitoring and routine maintenance.

In a warning published Tuesday, CISA and the DoE said threat actors had been gaining access to various UPS devices, often through unchanged default usernames and passwords.

“Oftentimes, manufacturers use the factory-installed, default credentials that are meant to be updated after installation,” Ellen Boehm, VP of IoT Strategy and Operations at Keyfactor told Infosecuritand Magazine.

“In these cases, if common keys are used across millions of devices, there becomes a single point of failure if that credential is discovered and used to exploit other devices with the same authentication.”

Describing the potentially devastating impact of a cyber-attack on UPS devices, Boehm said: “If attackers are able to take over UPS devices remotely, they can be used to wreak havoc on a company’s internal network and steal data or, in worse case scenarios , cut power for mission-critical appliances, equipment or services. ”

Users of UPS devices were urged by CISA and the DoE to immediately enumerate all UPS devices and similar systems and ensure they are not accessible from the internet. For devices that must remain online, multi-factor authentication, a virtual private network and strong passwords should be used.

Check if your UPS’s username / password is still set to the factory default. If it is, update your UPS username / password so that it no longer matches the default, ”stated the warning,“ This ensures that going forward, threat actors cannot use their knowledge of default passwords to access your UPS. ”

Boehm said that asymmetric certificates offered a robust way to protect access to IoT devices deployed in the manufacturer’s or end-users’ networks.

“With asymmetric encryption, a unique public and private key pair is generated,” Boehm explained, “Each one serves a different purpose (the public key decrypts data and can be shared openly, while the private key encrypts data, and must be protected) , and helps resolve some of these challenges. ”

Source

The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint statement with the Department of Energy (DoE) warning of attacks against internet-connected uninterruptible power supply (UPS) devices.

UPS devices provide emergency battery backup power during power surges and outages and are routinely attached to networks for power monitoring and routine maintenance.

In a warning published Tuesday, CISA and the DoE said threat actors had been gaining access to various UPS devices, often through unchanged default usernames and passwords.

“Oftentimes, manufacturers use the factory-installed, default credentials that are meant to be updated after installation,” Ellen Boehm, VP of IoT Strategy and Operations at Keyfactor told Infosecuritand Magazine.

“In these cases, if common keys are used across millions of devices, there becomes a single point of failure if that credential is discovered and used to exploit other devices with the same authentication.”

Describing the potentially devastating impact of a cyber-attack on UPS devices, Boehm said: “If attackers are able to take over UPS devices remotely, they can be used to wreak havoc on a company’s internal network and steal data or, in worse case scenarios , cut power for mission-critical appliances, equipment or services. ”

Users of UPS devices were urged by CISA and the DoE to immediately enumerate all UPS devices and similar systems and ensure they are not accessible from the internet. For devices that must remain online, multi-factor authentication, a virtual private network and strong passwords should be used.

Check if your UPS’s username / password is still set to the factory default. If it is, update your UPS username / password so that it no longer matches the default, ”stated the warning,“ This ensures that going forward, threat actors cannot use their knowledge of default passwords to access your UPS. ”

Boehm said that asymmetric certificates offered a robust way to protect access to IoT devices deployed in the manufacturer’s or end-users’ networks.

“With asymmetric encryption, a unique public and private key pair is generated,” Boehm explained, “Each one serves a different purpose (the public key decrypts data and can be shared openly, while the private key encrypts data, and must be protected) , and helps resolve some of these challenges. ”

Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!