CRITICAL SECURITY ALERT: High-have been disclosed in APC Smart-UPS devices

Three high-impact APC Smart-UPS device vulnerabilities have been disclosed that could be abused by remote adversaries as a physical weapon to access and control them in an unauthorized manner.

Collectively dubbed TLStorm, the flaws “allow for complete remote takeover of Smart-UPS device vulnerability and the ability to carry out extreme cyber-physical attacks,” Ben Seri and Barak Hadad, researchers from IoT security company Armis, said in a report published Tuesday.

UPS (Uninterruptible power supply) devices function as emergency backup power providers in mission-critical environments such as medical facilities, server rooms, and industrial systems. Most of the afflicted devices, totaling over 20 million, have been identified so far in healthcare, retail, industrial, and government sectors.

What You Can Do

Managed Services Clients: Acumen has already begun the process of performing these mitigations for you. No further action is required at this time.

All Others: Please follow this set of mitigations to protect their UPS devices:

• Install the patches available on the Schneider Electric website.
  
• If you are using the NMC, change the default NMC password (“apc”) and install a publicly-signed SSL certificate so that an attacker on your network will not be able to intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2 and NMC
• Deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications.