Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/12/2021
10:00 AM
Hervé Tardy
Hervé Tardy
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Power Equipment: A New Cybersecurity Frontier

Power systems, HVAC systems, and other network-connected devices are exposing new vulnerabilities that must be secured.

Power management may not be at the top of anyone's priority list when they think about cybersecurity. But to quote the famous words of Bob Dylan: "The times, they are a-changin'." As Internet of Things (IoT)-enabled devices have evolved and many business functions have shifted to remote operations, vulnerabilities are emerging in places that may have once seemed like something out of Hollywood fiction.

As digital transformation continues to advance amid the COVID-19 pandemic and beyond, businesses must evaluate their security model to ensure they're prepared for the next normal. Power equipment must be part of the equation in an end-to-end cybersecurity strategy.

Related Content:

3 Security Flaws in Smart Devices & IoT That Need Fixing

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Securing Super Bowl LV

Hackers Make Surprising Moves
While IoT has been the catalyst for many positive developments, there are challenges with these expanding interconnections. For power management, the ability to connect backup equipment like an uninterruptible power supply (UPS) can prove helpful in enabling IT teams to monitor and maintain essential infrastructure more efficiently. However, like any other network-connected devices, they become assets that need to be secured from potential cyber breaches.

Though UPS doesn't traditionally come to mind when envisioning ways cybercriminals infiltrate a network, the same could also be said for other inconspicuous devices like HVAC units. Yet, that's exactly what hackers pursued when they were able to gain access to Target's system and steal data on over 40 million credit and debit cards.

And consider how hackers were able to penetrate the network of a North American casino utilizing an Internet-connected thermometer inside an aquarium. Finding the vulnerability in a fish tank, of all places, allowed hackers to access the casino's database and ultimately steal private customer data. And, while the premise may sound like something from an Ocean's Eleven movie sequel, it's not the first time an unsecure thermostat has caused a frenzy.

These are just a few examples of how hackers are exploiting new network entry points, but all it takes is a Google search for the morbidly curious to find plenty of other surprising examples. Each example underscores the need to have an end-to-end strategy to defend today's digital infrastructure.

Safeguarding Power Management Systems
The growing urgency surrounding cybersecurity is pushing power management manufacturers to introduce new protections in their connected devices. Here are a few steps IT and cybersecurity leaders can take to better secure their power equipment today.

  • Look for certifications: Global standards organizations are expanding their processes for certifying products as secure, and these efforts extend to power backup devices. There are UPS network management cards available with UL 2900-1 and ISA/IEC 62443 certifications that have built-in cybersecurity capabilities and features. Buying products with these types of certifications can give IT teams more peace of mind that their products have strong encryption, certificate authority (CA) and public key infrastructure (PKI) signed certificates, and configurable password policies.

  • Keep current on firmware updates: The ability to make timely firmware updates is essential to protect against emerging threats. This was made clear recently when Ripple20 vulnerabilities, which put countless Internet-connected devices at risk, were discovered. To secure power equipment against these types of new threats, IT teams can deploy power management software and work with their technology provider to ensure systems reman up to date with the latest patches. Power management software also offers capabilities for graceful shutdown in the case of a prolonged outage, which will help IT teams save their work in progress and prevent data loss.

  • Digital and physical security: As recent threats to Amazon's data center infrastructure illustrate, organizations should also take physical security into consideration as part of their defense strategy. Putting smart security locks on IT racks can help keep power management devices and other equipment safe and secure, allowing only authorized personnel to have access to these components. 

Ultimately, enterprises and their IT teams should aim to build a holistic strategy for protecting power equipment, similar to how they approach other Internet-connected systems. There's a balance in buying inherently secure products and taking ongoing measures to ensure equipment remains updated with the latest policies, procedures, and risk assessments.

A Journey, Not a Destination
As IoT advances and spreads into new areas of operation, enterprises will reap benefits by collecting more data and uncovering new insights that add value to their business. However, with progress comes the need to continue keeping a very close eye on the network. While new vulnerabilities and threats are bound to emerge, IT teams can do their best to stay one step ahead by monitoring the cybersecurity landscape and committing to an evolving, end-to-end strategy for protection.

Hervé Tardy is Vice President and General Manager of Eaton's Distributed Power Infrastructure business unit. In this role, Hervé manages the Americas product roadmap for power solutions, software, and connectivity products to reinforce Eaton's technology ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mgalde
50%
50%
mgalde,
User Rank: Apprentice
3/12/2021 | 11:25:19 AM
Network Visibility has always been a problem
When it comes to protecting operational technology (OT) on a IT network I have always found a problem with visibility of that network. A misunderstanding of who protects what assets and a lack of understanding of protocols like BACnet or DNP3 and what protections need to be put into place. Regulations help clear this up in some industries but there is still a problem with visibility and I suspect there will be more of a problem later as well. Hervé Tardy makes a good point, "businesses must evaluate their security model to ensure they're prepared for the next normal. Power equipment must be part of the equation in an end-to-end cybersecurity strategy."
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...