H-ISAC TLP White Informational Mitigating Attacks Against Uninterruptable Power Supply Devices

On March 29, 2022, the Cyber Security Infrastructure and Security Agency (CISA) and the Department of Energy (DOE) released a report in response to reports of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords.

Health-ISAC is sharing this information with our members due to the increased risk of threat actors abusing this vulnerability to access UPS devices, in the hope that organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet.

The report states that organizations can mitigate attacks against UPS devices by immediately removing management interfaces from the internet.

Review CISA and DOE’s guidance on mitigating attacks against UPS devices for additional mitigations and information.

Health-ISAC recommends that organizations immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet. 

In the rare situation where a UPS or similar system’s management interface must be accessible from the internet, these devices should have compensating controls, such as ensuring the device or system is behind a virtual private network, enforcing multifactor authentication, and applying strong, long passwords.