Tech & Innovation in Healthcare

Question: We have several uninterruptible power supply (UPS) devices throughout the office to protect our computers, phones, and printers in the event of a power outage. I noticed the other day that some of the UPS devices have Ethernet cords connected to them. Could this be a security risk?

Minnesota Subscriber

Answer: The UPS devices in your office could certainly be a security risk if the Ethernet cords are connected to your office’s network and computers. A UPS helps keep computers and other connected devices safe during a power surge and power outage. The UPS features a battery backup to help keep your connected computers, printers, or servers operational for a period of time. This extra power allows you to safely save what you’re working on before powering off your machine.

In a March 29, 2022 joint release, the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Energy recommended that organizations review and secure any internet-connected UPS devices to prevent cyberthreat actors from gaining access to the device through the internet.

The agencies suggest checking the UPS’s username and password to see if they are still set to factory defaults, and then update the credentials to enhance the device’s security.

CISA and the Department of Energy also suggest removing direct internet access to the UPSs in your organization. However, if the UPSs must be accessible from the internet, implement the following compensating controls:

• Place the device or system behind a virtual private network (VPN).
• Establish multifactor authentication (MFA).
• Use National Institute of Standards and Technology (NIST)- acceptable, strong, long passwords or passphrases.