Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/12/2021
10:00 AM
Hervé Tardy
Hervé Tardy
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Power Equipment: A New Cybersecurity Frontier

Power systems, HVAC systems, and other network-connected devices are exposing new vulnerabilities that must be secured.

Power management may not be at the top of anyone's priority list when they think about cybersecurity. But to quote the famous words of Bob Dylan: "The times, they are a-changin'." As Internet of Things (IoT)-enabled devices have evolved and many business functions have shifted to remote operations, vulnerabilities are emerging in places that may have once seemed like something out of Hollywood fiction.

As digital transformation continues to advance amid the COVID-19 pandemic and beyond, businesses must evaluate their security model to ensure they're prepared for the next normal. Power equipment must be part of the equation in an end-to-end cybersecurity strategy.

Related Content:

3 Security Flaws in Smart Devices & IoT That Need Fixing

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Securing Super Bowl LV

Hackers Make Surprising Moves
While IoT has been the catalyst for many positive developments, there are challenges with these expanding interconnections. For power management, the ability to connect backup equipment like an uninterruptible power supply (UPS) can prove helpful in enabling IT teams to monitor and maintain essential infrastructure more efficiently. However, like any other network-connected devices, they become assets that need to be secured from potential cyber breaches.

Though UPS doesn't traditionally come to mind when envisioning ways cybercriminals infiltrate a network, the same could also be said for other inconspicuous devices like HVAC units. Yet, that's exactly what hackers pursued when they were able to gain access to Target's system and steal data on over 40 million credit and debit cards.

And consider how hackers were able to penetrate the network of a North American casino utilizing an Internet-connected thermometer inside an aquarium. Finding the vulnerability in a fish tank, of all places, allowed hackers to access the casino's database and ultimately steal private customer data. And, while the premise may sound like something from an Ocean's Eleven movie sequel, it's not the first time an unsecure thermostat has caused a frenzy.

These are just a few examples of how hackers are exploiting new network entry points, but all it takes is a Google search for the morbidly curious to find plenty of other surprising examples. Each example underscores the need to have an end-to-end strategy to defend today's digital infrastructure.

Safeguarding Power Management Systems
The growing urgency surrounding cybersecurity is pushing power management manufacturers to introduce new protections in their connected devices. Here are a few steps IT and cybersecurity leaders can take to better secure their power equipment today.

  • Look for certifications: Global standards organizations are expanding their processes for certifying products as secure, and these efforts extend to power backup devices. There are UPS network management cards available with UL 2900-1 and ISA/IEC 62443 certifications that have built-in cybersecurity capabilities and features. Buying products with these types of certifications can give IT teams more peace of mind that their products have strong encryption, certificate authority (CA) and public key infrastructure (PKI) signed certificates, and configurable password policies.

  • Keep current on firmware updates: The ability to make timely firmware updates is essential to protect against emerging threats. This was made clear recently when Ripple20 vulnerabilities, which put countless Internet-connected devices at risk, were discovered. To secure power equipment against these types of new threats, IT teams can deploy power management software and work with their technology provider to ensure systems reman up to date with the latest patches. Power management software also offers capabilities for graceful shutdown in the case of a prolonged outage, which will help IT teams save their work in progress and prevent data loss.

  • Digital and physical security: As recent threats to Amazon's data center infrastructure illustrate, organizations should also take physical security into consideration as part of their defense strategy. Putting smart security locks on IT racks can help keep power management devices and other equipment safe and secure, allowing only authorized personnel to have access to these components. 

Ultimately, enterprises and their IT teams should aim to build a holistic strategy for protecting power equipment, similar to how they approach other Internet-connected systems. There's a balance in buying inherently secure products and taking ongoing measures to ensure equipment remains updated with the latest policies, procedures, and risk assessments.

A Journey, Not a Destination
As IoT advances and spreads into new areas of operation, enterprises will reap benefits by collecting more data and uncovering new insights that add value to their business. However, with progress comes the need to continue keeping a very close eye on the network. While new vulnerabilities and threats are bound to emerge, IT teams can do their best to stay one step ahead by monitoring the cybersecurity landscape and committing to an evolving, end-to-end strategy for protection.

Hervé Tardy is Vice President and General Manager of Eaton's Distributed Power Infrastructure business unit. In this role, Hervé manages the Americas product roadmap for power solutions, software, and connectivity products to reinforce Eaton's technology ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mgalde
50%
50%
mgalde,
User Rank: Apprentice
3/12/2021 | 11:25:19 AM
Network Visibility has always been a problem
When it comes to protecting operational technology (OT) on a IT network I have always found a problem with visibility of that network. A misunderstanding of who protects what assets and a lack of understanding of protocols like BACnet or DNP3 and what protections need to be put into place. Regulations help clear this up in some industries but there is still a problem with visibility and I suspect there will be more of a problem later as well. Hervé Tardy makes a good point, "businesses must evaluate their security model to ensure they're prepared for the next normal. Power equipment must be part of the equation in an end-to-end cybersecurity strategy."
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9667
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
CVE-2020-9668
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
CVE-2020-9681
PUBLISHED: 2021-04-16
Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to rewrite the file of the administrator, which may lead to elevated permissions. Exploitation of this issue requires user interaction.
CVE-2021-26830
PUBLISHED: 2021-04-16
SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.php in the `Pugin library - delete` module.
CVE-2021-29443
PUBLISHED: 2021-04-16
jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be throw...