IoT warning: Hackers are gaining access to UPS devices. Here's how to protect yours

Hackers are targeting internet-connected uninterruptible power supply devices. CISA wants you to protect yours better.
Written by Liam Tung, Contributing Writer

Change the default user name and password settings on your internet-connected uninterruptible power supply (UPS) units, the US government has warned.  

UPS units are meant to provide power backup to keep devices, appliances and applications connected to the internet by supplying off-grid power to places like a data center during a power outage. But hackers have been targeting internet-connected UPS units to disrupt the backup power supply. 

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) said they "are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices." 

SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydays

How? Just like many Internet of Things (IoT) devices, such as routers and smart-lighting systems, they are gaining access "often through unchanged default usernames and passwords." The risk of not changing the default credentials in IoT devices and appliances isn't new. It's also a problem that reminds admins of the importance of network-hardening guidance.    

UPS devices are a critical backup power supply because of the costs of downtime when core business applications and staff devices can't connect to the internet. In healthcare, lives might depend on a UPS in an outage because of powered medical devices.

As CISA notes, UPSs can protect small loads, such as a few servers, large loads, like an entire building, or massive loads, including a data center. 

One complication in an organization is the question of exactly who should manage UPS devices, which only becomes necessary during a power outage. "Various different groups within an organization could have responsibility for UPSs, including but not limited to IT, building operations, industrial maintenance, or even third-party contract monitoring service vendors," CISA notes in an insights alert

CISA doesn't cite examples of recent attacks or attribute these threats to specific actors. However, in this case, it seems more important to emphasize remediation steps. 

As CISA notes, it's rare that a UPS's management interface needs to be accessible from the internet. So, its bolded advice is: "Immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet." It also recommends viewing its, and the NSA's, warning that state-sponsored attackers have targeted internet-accessible operation technology (OT) to breach critical infrastructure, such as water utilities. Again, the agencies warn of the risks of remote access to OT networks and the use of default passwords. 

If the UPS device's management interface must be accessible from the internet, CISA advises putting these controls in place: 

  • Ensure the device or system is behind a virtual private network
  • Enforce multi-factor authentication
  • Use strong, long passwords or passphrases in accordance with National Institute of Standards and Technology guidelines (for a humorous explanation of password strength, see XKCD 936, CISA notes)
  • Check if your UPS's username/password is still set to the factory default. If it is, update your UPS username/password so that it no longer matches the default
  • Ensure that credentials for all UPSs and similar systems adhere to strong password-length requirements and adopt login timeout/lockout features
Editorial standards