After years of prodding and multiple UPS cyber incidents (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers), March 29, 2022, CISA has finally stepped up and issued guidance on some aspects of UPS cyber vulnerabilities – https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf.
This is certainly welcome progress. However, more work is still needed to address other aspects of insecure building and data center control systems: insecure process sensors, Power Distribution Units, insecure UPS protocols such as Simple Network Management Protocol (SNMP), Modbus, and BACnet (even with the use of VPNs), etc. Hopefully, CISA extends its work to these issues as well.
