CISA Warns of Uninterruptible Power Supply (UPS) Device Cyberattacks

April 01, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy issued an advisory about cyberattacks committed via internet-connected uninterruptible power supply (UPS) devices.

CISA has observed threat actors gaining access to UPS devices through unchanged default usernames and passwords.

“UPS devices provide clean and emergency power in a variety of applications when normal input power sources are lost. Loads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center),” the advisory explained.

“Various different groups within an organization could have responsibility for UPSs, including but not limited to IT, building operations, industrial maintenance, or even third-party contract monitoring service vendors.”

The Health Sector Cybersecurity Coordination Center (HC3) issued a brief of its own to alert the healthcare sector to the UPS cyberattacks. In recent years, UPS vendors have been implementing Internet of Things (IoT) capabilities into their devices. While the IoT capability allows for convenience, it also opens the devices up to threat actors.

“UPS devices can be found in all sectors,” HC3 warned. Although the healthcare sector may not be a primary target, any organization that uses UPS devices is vulnerable.

CISA recommended that organizations immediately ensure that all UPS devices and similar systems are not accessible from the internet. In the unlikely situation that a UPS device must be internet-accessible, organizations should ensure that the devices are behind a virtual private network (VPN), use multi-factor authentication, and implement strong passwords.

In addition, organizations should ensure that their UPS’s username and password has been changed from the factory default settings.

“It is noted that one of the most effective methods to mitigate the cyber risk to UPS devices and systems is quite simple — disconnect them from the internet," John Riggi, national advisor for cybersecurity and risk at the American Hospital Association (AHA) stated publicly.

"This alert should also be shared with all facilities’ engineers and those involved in the planning, design and construction phases of hospitals. In regard to the FBI alert, attacks on local government agencies have also resulted in disruptions to public health services. This alert also contains a comprehensive list of strategic and technical ransomware risk mitigation steps, which are applicable to hospitals and health systems.”

In another recent advisory, CISA warned critical infrastructure entities of cyber risks associated with satellite communication (SATCOM) networks.

Entities across all sectors, including healthcare, use SATCOM networks for voice and data communication. CISA and the FBI urged SATCOM network providers and customers to remain vigilant against SATCOM cyberattacks, which could disrupt network environments.

These advisories share a common theme in that they are not immediately obvious threats to the healthcare sector. However, they emphasize the importance of securing every internet-connected device on an organization’s network. One vulnerable device could be an easy entry point for threat actors.