Uninterruptible Power Supply Technology and Cybersecurity

This is an excerpt from a January/February 2012 InTech magazine feature article by Michael A. Stout. He is vice president of engineering at Irwindale, Calif.-based Falcon Electric, Inc.

Every network connected device in a data or SCADA network is a potential backdoor into the network, or at a minimum a security risk.

Once a hacker has gained access to a moderately secured network, they can easily determine the IP addresses of every device on the network. Using port scans, they then can determine if the device communicates through HTTP, SNMP, Telnet, MODBUS, etc. Once the communications protocol has been established, the hacker will first attempt to determine if the device has any further security. In the case of a device supporting HTTP protocol, if unsecured, it is a simple matter to use any web browser to communicate directly with the device, often by displaying a menu of options. The critical selection and proper configuration of an uninterruptible power supply SNMP/HTTP agent option is vital to network security, but often an afterthought. This prompts the question “What security features should a UPS SNMP/HTTP agent support?”

The world is running out of IP addresses under the old 32-bit IPv4 format, which has prompted the development of a new world standard IPv6 that supports 128-bit IP addresses. In addition to adding a virtually unlimited number of IP addresses, IPv6 has Internet Protocol Security (IPsec) built-in. When used, IPsec secures the IP communications across the network by authenticating and encrypting each IP data packet. IPsec uses a shared key to accomplish authentication. IPv6 support is essential in the selection process.

The SNMP/HTTP agent should be able to turn off unused communications ports in addition to the ability to reassign port numbers. A typical agent may support BootP/DHCP, Ping Echo, Telnet, SSH connection, HTTP, HTTPs, UDP, three SNMP versions, UPnP, and SMTP protocols. All of these protocols are assigned differing port numbers and can, if unsecured, identify themselves should a port scan be performed. Some of the ports could provide backdoor access to the agent and the associated UPS unit. It is a good practice to turn off unused communication protocol ports and to use communications protocols that have adequate security. …

Read the full article at InTech magazine.

Print Friendly

, , , , , , , , , ,