CISA & DOE have recently published UPS security protection guidelines
CISA and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet. Organizations can mitigate attacks against UPS devices by immediately removing management interfaces from the internet. Review CISA and DOE’s guidance on mitigating attacks against UPS devices for additional mitigations and information.
1. Enumerate all UPSs and similar systems and ensure they are not accessible from the internet. In the rare situation where a UPS device or similar system’s management interface must be accessible from the internet, ensure that compensating controls are in place, including:
- Ensure the device or system is behind a virtual private network.
- Enforce multifactor authentication.
- Use strong, long passwords or passphrases
2. Check if your UPS’s username/password is still set to the factory default. If it is, update your UPS username/password so that it no longer matches the default
3. Ensure that credentials for all UPSs and similar systems adhere to strong password length requirements and adopt login timeout/lockout features.