On March 29, 2022, CISA issued a joint advisory with the Department of Energy (DOE), to secure internet-connected, uninterruptible power supply (UPS) devices. With threat actors continuing to evolve their attack methods and vulnerable internet-connected UPS devices offering an easy pathway to the network, this is not merely a preparatory step to guard against “possible compromise,” but a solid defense against “ongoing attacks.”
One course of action to prevent attackers from using internet-connected UPS devices to achieve their mission is to unplug the UPS devices. Sure, I can disconnect the UPS device in my home office with some effort – and accept the risk of my computer crashing and appliances failing if the power goes out. The problem with UPS devices is that they provide emergency backup power – power that first responders, medical services, critical infrastructure providers, and more need to save lives, ensure public safety, provide continuity of operations, etc. UPS devices in hospitals, manufacturing lines, and 911 call centers… must remain plugged in.
There’s another solution that is both obvious and wrong: block all UPS connections to the internet. Maybe some organizations can choose this option when it isn’t vital that a UPS device be connected to the internet, but in today’s digital, highly connected world, being able to physically isolate a UPS device is an isolated case. Overwhelmingly, technical staff require those internet connections to maintain and monitor the systems.
So, what’s the solution?
It’s easy enough to take a third approach: use network segmentation to limit access to the UPS devices and force connections to them to travel through a secured gateway. That’s easy to say, but the hard part is revealed in the next two questions. Where are the UPS devices located? What are the paths from the internet to those devices?
Answering the location question requires a visibility tool. It’s not enough to have a paper list that tells us where the UPS devices should be or where they were shipped to three years ago. We need to know where these devices are located, right now. A visibility tool that takes in the entire networked enterprise will give us the data we need for a complete answer. The important thing is to account for the entire network. I’ve seen environments where the visibility tool is kept out of the data center, the manufacturing line, the trading floor, etc. Those blind spots must go. Visibility needs to be universal. Consider the impact of a compromised UPS device – and that UPS device is in a data center, or a manufacturing line, or the trading floor. I would say that the compromised UPS device would have a much greater impact than accommodating visibility tool requirements.
The visibility tool must be able to deliver a report of where the UPS devices are located, what they’re plugged into for network access, and what ports they have open for communication. All that information will be necessary for answering the second question and securing the pathways to those devices.
I used the plural – pathways – because while we often focus on whether there’s a direct path from the internet to a device, we often fail to consider the indirect paths. Many devices in a network can reach both the internet and the UPS devices. If a network device is compromised, then any reachable UPS device can be compromised in turn. That’s a path with a single additional hop. Other, longer paths may also exist. Then there’s the question of what a compromised UPS device could reach. What I’m getting at is that it’s not enough to block the direct internet to UPS device connection. We need to consider the alternate routes both to and from the UPS devices within the network.
Ideally, the tool that identifies the alternate routes also identifies vulnerabilities that exist on devices along the routes. Those vulnerabilities are the doors that attackers will pass through to reach their destinations. If they want to disrupt power, they’ll stop at the UPS devices and burn them out. If they want more than that, then the UPS devices are pivot points.
When I read the CISA/DOE warning, my first reaction was to pair up Forescout with RedSeal: Forescout for the ability to examine the digital terrain and find all the UPS devices, and RedSeal to map the network and show all the pathways and the vulnerabilities along the way. With that knowledge in hand, the perimeter firewalls can be configured to block problematic inbound traffic. Beyond that, the information can also put firms on the path toward segmentation and micro-segmentation to take risky but necessary devices like the UPS and limit inbound and outbound traffic to only what is needed to operate.
Left unprotected, vital UPS devices are compromises waiting to happen. Don’t unplug them and don’t deprive them of the necessary network traffic. Use the right tools to track their locations and the pathways to and from them. The journey of segmentation starts with a single step, and it may as well be the most important step taken to protect the UPS devices from the network… and the network from the UPS devices.
