Unsecured emergency power supplies can create an emergency for you

By now, most of the estimated 332 million people in the U.S. are familiar with basic COVID preventative measures. Get vaccinated. Maintain social distancing. Wear a mask indoors, especially if you’re in a crowded room with people you don’t know. Wash your hands frequently. Try not to touch your nose and mouth. Quarantine if you test positive.

Unfortunately, the message on basic cyber hygiene for uninterruptible power supply (UPS) devices doesn’t seem to be getting through as effectively.

Which is significant. UPS devices — millions of them — are used to keep electricity flowing instantaneously if there’s a general failure of the power serving computers and connected equipment, data centers, telecommunications, and other electronic systems. Those frequently include critical infrastructure (CI) such as medical facilities and industrial control systems.

Most UPS devices provide power for only a few minutes, but that allows enough time to start a longer-term standby power source or properly shut down the protected equipment.

In other words, they’re for emergencies. That makes them critically important.

What’s also important is that in recent years UPS vendors have upgraded the devices to make it possible to control them remotely via networks connected to the internet.

Much more convenient. But much less secure. Once something like that is connected it becomes part of the biggest cyberattack surface in the world — the Internet of Things (IoT). So you’d think that would make users ramp up protection for them with better cybersecurity hygiene.

Apparently not so much. The federal Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Department of Energy issued a warning a couple of weeks ago that malicious hackers were “gaining access to a variety of internet-connected UPS devices.”

A reason for alarm bells

And how are many of those attackers gaining access? “Often through unchanged default usernames and passwords,” CISA said.

That ought to set off alarm bells for users. Failing to do such security basics is like leaving a front door wide open or leaving a key in the lock. As security experts say, breaching systems with so little protection is “trivial.” It makes them, as another security cliché puts it, “low-hanging fruit” for attackers.

Michael Fabian, principal security consultant with the Synopsys Software Integrity Group, isn’t surprised, given that UPS devices weren’t originally designed to be online. “This is fairly typical for devices that didn’t have security as a stakeholder in design and are often overlooked as an attack surface for operators and end users,” he said. “Anything connected needs security requirements and functionality built in.”

That’s because an IoT device like a UPS, even if it is relatively simple and doesn’t hold a lot of data, “has enough functionality to act as a pivot,” Fabian said. “Security has been conditioned as a data-centric protection strategy, but as we are seeing as of late, the operational importance of systems and devices is being exploited as well to get to that data, or as a leverage point to do more nefarious stuff.”

The initial alarm bell that prompted the warning from CISA came from cybersecurity firm Armis, which said it had found three zero-day (not previously known) software vulnerabilities they labeled TLStorm in Smart-UPS (connected) devices from APC, a subsidiary of the global energy firm Schneider Electric, which has sold more than 20 million UPS devices worldwide.

“If exploited, these vulnerabilities […] allow for complete remote takeover of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks,” according to an Armis blog post. The damage from those attacks could range from an explosion of a power facility to a ransomware attack, and theft of data and intellectual property.

Indeed, “by exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and make it literally go up in smoke,” according to the blog.

The post also noted that all three vulnerabilities could be exploited remotely to upload malicious firmware without any user interaction or warning signs of an attack, and that almost 80% of companies are exposed to TLStorm vulnerabilities.

Obvious danger

The good news is that in this case, Armis and Schneider collaborated to create a patch for many of the affected devices and notified customers when it was ready. The even better news from both companies is that there is no evidence that hackers discovered or exploited those vulnerabilities during the four-plus months between Oct. 31, 2021, when Armis researchers notified Schneider about their findings, and early March when the patch was available and Armis made the vulnerabilities public.

But the potential for damage should be obvious. As should at least some of the measures that could make UPS devices a much more difficult target for hackers.

The top recommendation from CISA was simple and blunt: Disconnect UPS devices from the internet. Schneider recommended the same, at least until all affected devices can be fully patched. In the “rare cases” where that’s not feasible, CISA recommended “compensating controls” that include

• Put UPS devices behind a virtual private network
• Require multifactor authentication
  - Require strong, long passwords or passphrases that comply with guidelines from the National Institute of Standards and Technology
• If a UPS’s username/password is still set to the factory default, change it
• Besides strong password length requirements, adopt login timeout/lockout features

To that list, Fabian adds that organizations using UPS devices should refer to the IEC 62443 standard, which was developed to secure industrial automation and control systems (IACS).

The International Electrotechnical Commission (IEC) said IACSs “are found in an ever-expanding range of domains and industries, such as power and energy supply and distribution, and transport [… and] are central to critical infrastructure.”

The IEC adds that “IT [information technology] standards are not appropriate for IACS and other OT [operational technology] environments. Cyberattacks on IT systems have essentially economic consequences, while cyberattacks on critical infrastructure can also be heavily environmental or even threaten public health and lives.”

Fabian said the IEC 62443 standard “encompasses both security features to be included in the devices and requirements for the vendors that deploy them.”

Finally, while it may seem like an obvious thing to do, the reality is that in the world of IoT devices, users don’t always keep track of what they’re using. And you can’t protect what you don’t know you have. Nor will any connected devices or components protect your organization and its assets if you don’t know about them, which means you won’t know if they have a vulnerability that you need to patch or update.

Avoiding that problem means maintaining an inventory, both of the devices your organization is using and the software components that run them. As noted, in the case of the TLStorm vulnerabilities, Armis and Schneider notified customers about available patches.

But that might not always happen, especially if the software running devices is open source. In general, when open source patches or updates are made available, they aren’t “pushed” to users. Instead, users have to “pull,” or download them, from a repository. They won’t know they need to do that if they don’t know they’re using the vulnerable component. And the only way to do that is to maintain a software Bill of Materials, an inventory of the origin, maker, and function of every software component in an organization’s applications, systems, and networks.

While it’s impossible to do that manually, an automated tool called software composition analysis will help find open source components in the codebases an organization is using and will also flag any known vulnerabilities or potential licensing conflicts. That will take time and money, but it will be well spent.

As we all know, poor hygiene can put people at risk of contracting a deadly virus. Poor cyber hygiene can put users at digital risks that could be just as serious.

Bottom line: If you can’t secure it, don’t connect it.