Manufacturers are increasingly incorporating connection to their products in order to capitalise on the advantages that the Internet may provide. UPS companies have recently introduced IoT features to their UPS units, which offer battery backup power during power spikes and outages. Recently, the Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Energy issued a combined warning to enterprises to safeguard Internet-connected UPS equipment against continuing threats.
According to the CISA's new warning, fraudsters target these Internet-connected versions of UPS equipment using the same default usernames and passwords to get access to the networks to which they are linked. If attackers can remotely take control of UPS systems, they may wreak havoc on a company's internal network, steal data, or, in worst-case situations, cut power to mission-critical appliances, equipment, or services.
If you want to know about the following topics then follow the links.
The problem is that IoT devices are often restricted, and manufacturers frequently make sacrifices when it comes to adopting good security standards. Manufacturers often utilise factory-installed, default credentials that are intended to be modified after installation. If common keys are utilised across millions of devices in these circumstances, there becomes a single point of failure if that credential is found and used to exploit additional devices using the same authentication. We've seen similar difficulties with IoT-connected devices in the house, where hackers are able to target home routers that preserve default credentials because customers are unaware or choose not to alter the settings. We've also seen hacked IoT devices used in DDoS assaults, which may consume server or backend resources or affect the IoT device's intended functionality.
Best Practices for Using Connected UPS Devices in Security
Traditional security approaches used to safeguard offline devices may not enough as manufacturers continue to link gadgets to enjoy the advantages of the internet. The following are a few recommended security practises that manufacturers should follow in order to utilise linked UPS equipment safely.
Change the default password as soon as the unit is commissioned: Vulnerabilities in connected UPS equipment are often triggered by a failure to update factory-installed default credentials. UPS equipment with factory-installed default credentials must be changed right away. Administrators should add layers of unusual and complicated character combinations to the new password before redeploying the devices to live environments.
Multifactor authentication (MFA) should be used: Strong IoT authentication is required in order for connected IoT devices and equipment to be trusted in order to guard against control orders from unauthorised people or devices. Authentication also prevents attackers from posing as IoT devices in order to get access to data on servers such as recorded conversations, photos, and other potentially sensitive information. The majority of IoT devices support two-factor or multi-factor authentication. This is a two-step authentication technique that requires you to authenticate your identity using a second device, such as a phone.
Ascertain that each device has a distinct credential: Sending secure data is a critical feature of every IoT device. To be successful, both users and manufacturers must believe that the data they get is genuine and meant for them. As more linked UPS devices appear, each one should have a unique credential for identification. When properly implemented, the usage of asymmetric certificates is a highly secure method of protecting access to IoT devices installed in manufacturer or end-user networks. Many IoT devices use symmetric encryption, which employs a single key to encrypt and decode data. The fact that the data is encrypted provides an additional degree of protection, especially as compared to utilising hardcoded or default passwords, but sharing and keeping the encryption key introduces danger. Because a malevolent party may use the key to encrypt and decode data if it intercepts it. This implies they may get access to the whole system and exchange data, and they could even operate as a "man in the middle" by changing data without the manufacturer or end-users being aware. Asymmetric encryption generates a unique public and private key pair. Each one serves a distinct function (the public key decrypts data and may be freely shared, while the private key encrypts data and must be safeguarded) and contributes to resolving some of these issues.
Make use of certificate-based authentication: If UPS devices are deployed in networks where additional layers of security, such as certificate-based authentication (which uses a digital certificate to identify a user, machine, or device before granting network access), a much stronger security posture will be provided on top of the device's built-in security policies. PKI manages the issuing of digital certificates to give unique digital identities for devices and consists of a tree-like structure of servers and devices that keep a list of trusted root certificates. Digital certificates are often structured in a chain of certificates using certificate-based authentication, where each certificate is signed by the private key of another trusted certificate and the chain must return to a globally trusted root certificate. Through each intermediate certificate authority, this arrangement produces a delegated chain of trust from the trusted root certificate authority to the final entity "leaf" certificate loaded on the device.
Monitor certificates and keys on an ongoing basis: Implementation is the key to strong security. It is vital to ensure that key pairs, digital certificates, and the PKI that serves as the root of trust are correctly implemented and regularly monitored. This is due to the fact that every static system is intrinsically insecure. Without continued lifecycle management, digital certificates, key pairs, and trust roots will deteriorate over time. In order to have an accurate inventory of all unique identities and authentication in use, proper lifecycle management should first map every device. Manufacturers may then monitor all of the certificates and keys to discover any possible dangers and react appropriately with a comprehensive inventory. When devices are no longer in use, the certificates and keys associated with them should be revoked.
IoT devices have a lot of potential for good. Their capacity to link items and exchange information, however, leaves them very susceptible. This is because every point of connection has the potential to be hacked. Manufacturers that emphasise IoT device security will continue to provide new gadgets with the requisite degree of security to create consumer confidence and avoid destructive cyberattacks.
Source:
Comments
Post a Comment