How to Make Uninterruptible Power Supply Systems Less Vulnerable to Cyber Attacks

Uninterruptable Power Supply (UPS) Cybersecurity

The ongoing rash of headline-grabbing cyber attacks highlights just how important it is to do everything in our power to protect IT environments. This includes managing the security of uninterruptible power supplies (UPS). In fact, recent findings[1] show that UPSs make up 55% of connected devices that are vulnerable to cyber security breaches. The need to review and update cyber protections is even more critical in the UPS management of distributed hybrid environments, which combine edge computing networks with the Internet of Things (IoT), on-premise infrastructure and multiple clouds.

As hybrid environments expand, IT also is converging with Operational Technology (OT) in industrial environments. The convergence is enabling automation and data-driven strategies in manufacturing and industrial environments, but also widens the attack surface for hackers. Cyber attackers never relent from finding new vulnerabilities and refining their attack methods.

Already, bad actors are increasingly targeting critical commercial and industrial operators’ IT infrastructure. One of the most alarming examples of hacker effectiveness was the recent ransomware attack on the Colonial Pipeline, which transports and distributes fuel from the Gulf of Mexico up the eastern seaboard. Other attacks have followed in quick succession. Victims include the Washington, D.C., police, meatpacking company JBS, and the Massachusetts Steamship Authority.

In an attempt to stop these attacks, President Joe Biden in May issued an Executive Order instructing federal agencies to adopt security best practices and the National Institute of Standards and Technology (NIST) Framework, among other measures. Federal agencies, such as the departments of Justice, Defense, Agriculture, Energy and Labor, were among the targets of the massive attack against technology provider SolarWinds in late 2020, which also affected numerous private companies.

Addressing Cybersecurity in Uninterruptable Power Supplies

Securing the Power Infrastructure

As the SolarWinds breach demonstrated, no one is immune from cyber threats. Any organization, public or private, can suffer a cybersecurity breach. Hackers get into networks in various ways, so companies need a holistic, layered approach to secure their environments. This involves deploying established technologies such as endpoint protection and monitoring, intrusion detection and firewalls, as well as new approaches such as SASE (Secure Access Service Edge), which combines SD-WAN (software defined wide area network) deployments with embedded security.

As edge computing environments grow, organizations need to make sure all equipment and software at the edge, including IoT and Industrial Internet of Things (IIoT) devices, switches, routers, servers and virtual machines, are properly configured and secured. Applying security patches and updates as soon as they are issued by manufacturers is a must.

The power infrastructure also needs attention. It’s an area that sometimes gets lost in the fray because uninterruptible power supplies and power distribution units (PDUs) spring into action only when needed in a power failure. Recent findings from a sample of data center customers[2] reveal that 62% are currently using outdated device firmware that creates security risks. Gartner[3] predicts that “by 2022, 70% of organizations that do not have a firmware upgrade plan in place will be breached due to a firmware vulnerability.” While these devices are easy to miss, it is critical for IT managers to make sure they are covered when addressing cybersecurity requirements.

As with any other component of a distributed, hybrid infrastructure, power-protection systems can be exposed to cyber threats. An attack on them can quickly spread across the entire organization, possibly hobbling operations for hours or days. To protect power devices, IT managers should conduct a security vulnerability assessment to review network protocols and password practices, and determine whether a device can accept the most recent firmware upgrade.

Insights generated from an assessment help identify vulnerable configurations and outdated hardware. They also help determine whether devices are compliant with security policies, regulations and industry security best practices.

Uninterruptable Power Supply (UPS) Cybersecurity

Address UPS Cybersecurity Now

As many as 20% of UPSs currently in place have outlasted their service life, which likely means they are not protected against cyber risks – nor are they likely to work in the event of an outage. As cyber attacks intensify, it’s imperative that organizations identify vulnerable devices, address them, and avoid future cyber threats by integrating a firmware update policy into standard procedures. To ramp-up their security, companies should leverage advanced monitoring tools with device security vulnerabilities assessment and remote management capabilities. To learn more about best practices for securing edge computing networks, read the white paper, “An Overview of Cybersecurity Best Practices for Edge Computing.”

[1] Source: Schneider Electric estimates

[2] Ibid

[3] Source: Gartner, 2019, “How to Mitigate Firmware Security Risks in Data Centers, and Public and Private Clouds”

Leave a Reply

Your email address will not be published. Required fields are marked *