CISO Update #46

Critical Infrastructure Meets the IoT

It sounds like a monster movie from the 1940s, maybe Frankenstein Meets the Wolfman. (In that one, by the way, Bela Lugosi played Frankenstein’s monster rather than Dracula. Who knew?) In our 2022 version we find two major themes in cybersecurity coming together: attacks against critical infrastructure and attacks against IoT devices.

Since it’s been a while, let’s revisit “IoT”: the internet of things. IoT consists of all those non-computer devices that live on the internet—things like baby monitors and thermostats, and in this case, uninterruptible power supply (UPS) systems that protect big computer centers and other equipment from outages on the power grid. In this series, we have discussed how IoT devices are often made by companies without the technical expertise or financial incentive to properly protect users from cyberattacks, and how users often don’t apply the latest updates (if the manufacturer bothers to provide updates at all). Suddenly, your unpatched home router with a default password becomes a vector for cybercriminals to spy on you and steal your data. This week it was announced that UPSs from Schneider, a major manufacturer of building control and power management systems, suffer from a vulnerability that, according to the Center for Internet Security, could allow “an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.” In other words, a bad guy could own your UPS. (For the record, FIT uses UPS systems but not ones with this vulnerability.)

While this is bad enough, UPS systems protect organizations from interruptions to the power grid, which has proven to also be vulnerable to cyberthreat, particularly in the current geopolitical environment. This from an April 2021 edition of Homeland Security Today: “One nation that has shown both the capability and intent to use attacks against critical energy infrastructure is Russia, as demonstrated in their 2015 annexation of Crimea from Ukraine. A Russian cyberthreat group known as Sandworm, which used its BlackEnergy malware, attacked Ukrainian computer systems that provide remote control of the Ukraine power grid. This attack, and another in 2016, each left the capital Kiev without power, prompting cyberexperts to raise concern about the same malware already existing in NATO and the U.S. power grids.” It’s concerning when both primary and backup systems are vulnerable.  A two-headed monster, indeed.

What can you do?
There’s not much you can do to protect the power grid, but you can certainly be mindful of your IoT devices at home. Buy from well-known manufacturers, change default passwords, and install updates when they become available. One useful hint is to look at the owner's manual online before you buy. If there isn’t a section on how to update passwords and software, look for a more secure device.

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.