The proliferation of connected devices across the enterprise has driven many IT managers to rethink their cybersecurity approach to account for connected infrastructure at all levels of the network. More connected devices means a greater potential surface area for hackers to exploit, making it imperative that these entry points be considered as part of a comprehensive cybersecurity strategy.
One emerging area that should be considered as IT managers take a fresh look at cybersecurity is connected power. Earlier in 2022, the Cybersecurity and Infrastructure Security Agency and the Department of Energy issued guidance for network-connected uninterruptible power system (UPS) devices, advising users to “…mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost.”
In this article, we’ll look at some of the advantages of network-connected UPSs for IT managers while examining steps these managers can take to protect devices from cyberattacks.
Why connected power?
The need for network-connected UPSs may not be immediately apparent for some IT professionals, but the reality is that communicating UPSs provide enormous benefits.
These devices, which support critical infrastructure by serving as a bridge to generator power in the event of an outage, can help protect against downtime and prevent the loss of critical data. By leveraging a UPS enhanced with network connectivity, IT managers can integrate software to remotely manage the device on their network – improving business continuity by performing orderly shutdown of servers and storage to avoid crashing these systems. Additionally, they can leverage digital services to monitor the health of power devices, obtaining a host of useful data and insights to aid proactive maintenance and better decision-making.
These are just two of many benefits connected UPSs offer for the user. As with any network-connected device, however, cybersecurity must be a priority.
Securing backup power devices
When leveraging connected devices, network managers should consider several factors that can offer assurance that those devices were built with cybersecurity as a top priority.
One factor is certification. Global safety standards from bodies such as Underwriters Laboratories (UL) and the International Electrotechnical Commission (IEC) provide important guidelines for appropriate cybersecurity safeguards in network-connected devices, including backup power. Deploying UPSs with network management cards that carry UL 2900-1 and ISA/IEC 62443-4-2 certifications can give assurance that these devices incorporate key cybersecurity safeguards and have been rigorously tested to ensure compliance with the latest standards.
Another important consideration is cybersecurity features baked into the UPS. For example, deploying power devices that require cryptographic signatures for all firmware updates can help IT avoid cybersecurity risks. And procuring devices from vendors that offer 24/7 monitoring across converged IT/operational technology (OT) environments will add an extra layer of protection and visibility for critical infrastructure.
It’s important to remember that cybersecurity for connected UPSs shouldn’t be considered in a vacuum. Network managers should review their comprehensive cybersecurity strategy across the enterprise and use best practices with power management devices that apply to the full network. These can include regularly updating antivirus software and antispyware; conducting frequent security assessments; using advanced email filtering; establishing powerful password policies (and multi-factor authentication) and endpoint protection; using firewall and industrial security solutions as well as encrypting information; and holding regular cybersecurity awareness training for employees across all levels of the organization.
Finally, physical security should be carefully evaluated when protecting power devices and other IT equipment as many attackers can use physical infrastructure to target critical data. Measures such as putting smart security locks on IT racks can be helpful to ensure only authorized personnel have access to these components.
As previously stated, one of the benefits of connected power management technology is the ability to integrate software for remote management. This can be another powerful tool in the fight against cyberattacks.
Power management software can help enterprises mitigate emerging cybersecurity threats like the Ripple20 vulnerabilities, which surfaced during the early days of the COVID-19 pandemic and put network-connected devices in jeopardy. The software allows IT teams to keep up with the latest patches and secure their power management components from future zero-day vulnerabilities that develop.
Lastly, network managers should also look to partner with technology and solution providers that demonstrate an ongoing commitment to cybersecurity. This kind of collaboration can offer the ability to continuously monitor distributed networks and make necessary updates quickly as new threats are identified.
Secure for the future
Cybersecurity should always be at the top of network managers’ priority list, and the potential for threats will only continue with the addition of new devices on the network. As more enterprises look to harness the capabilities of connected power to back up critical infrastructure, network operators should make sure to ask the right questions about these devices’ cybersecurity capabilities to ensure careful consideration has been given to protect against potential attacks.
James Martin is the global connectivity product manager at Eaton.