The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DoE) are jointly warning of attacks against internet-connected uninterruptible power supply (UPS) devices by means of default usernames and passwords.
“Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet,” the agencies said in a bulletin published Tuesday.
UPS devices, in addition to offering power backups in mission-critical environments, are also equipped with an internet of things (IoT) capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features can also open the door to malicious attacks.
To mitigate against such threats, CISA and DoE are advising organizations to enumerate and disconnect all UPS systems from the internet and gate them behind a virtual private network (VPN) as well as enforce multi-factor authentication.
The agencies have also urged concerned entities to update the UPS usernames and passwords to ensure that they don’t match the factory default settings. “This ensures that going forward, threat actors cannot use their knowledge of default passwords to access your UPS,” the advisory read.
The warnings come three weeks after Armis researchers disclosed multiple high-impact security flaws in APC Smart-UPS devices that could be abused by remote adversaries as a physical weapon to access and control them in an unauthorized manner.