The US Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Energy have warned about cyber-security threats to internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords.

In recent years, UPS vendors have added an IoT capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance and/or convenience. UPS devices provide clean and emergency power in various applications when normal input power sources are lost.

Loads for UPSs can range from small for a few servers to large for whole buildings to massive for a data centre. Various different groups within an organisation could have responsibility for UPSs, including IT, building operations, industrial maintenance or even third-party contract monitoring service vendors.

The Cisa recommends users immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet. In the rare situation where a UPS device or similar system’s management interface must be accessible from the internet, ensure compensating controls are in place, to ensure the device or system is behind a virtual private network.

Users should also enforce multifactor authentication, use strong, long passwords or passphrases in accordance with Nist guidelines, and check if the UPS’s username and password are still set to the factory default. If they are, users should update the username and password so they no longer match the default.

This ensures that going forward, threat actors cannot use their knowledge of default passwords to access a UPS. The vendor may provide additional guidance on changing default credentials and/or additional recommended practices.

Users should ensure credentials for all UPSs and similar systems adhere to strong password length requirements and adopt login timeout and lockout features.

If an organisation is impacted by an incident or suspected incident, users should implement their cyber incident response plan. Cisa’s Federal Government Cybersecurity Incident & Vulnerability Response Playbooks detail incident response practices and operational procedures.

Users should follow guidance on technical approaches to uncovering and remediating malicious activity for incident response best practices in the joint Cybersecurity Advisory by Cisa and the cyber-security authorities of Australia, Canada, New Zealand and the UK. Report incidents or anomalous activity immediately to Cisa’s round-the-clock operations centre.