Many facilities that serve a broad range of industries, from manufacturing and data centers to health care and education, have transitioned from a centralized IT strategy to a distributed model that enables them to manage resources across a broad network. While this shift helps open doors for more effective operational efficiency and customer service, it also raises an opportunity for facilities to revisit and strengthen their cybersecurity strategies.

Power management equipment has evolved in parallel with this trend. As these devices become more connected to support the needs of distributed networks, they too must be properly safeguarded from cyberattacks. Facility managers investing in connected power equipment must understand how cybersecurity safeguards built into these solutions can help them protect critical infrastructure from potential threats.

Reward comes with risk

As IT frameworks have evolved, cybersecurity has understandably become a chief strategic priority for IT teams. According to a risk survey from the digital management firm RiskIQ, nearly 90 percent of information security leaders are concerned about the rise of digital threats across web, social and mobile channels. Potential consequences of a data breach include damaged reputation, downtime, ransomware, loss of sensitive personal or enterprise information, and distributed denial-of-service (DDoS) attacks designed to paralyze major websites. Last year, the average cost of a data breach reached a record high of US$4.35 million as noted in the 2022 cost of a data breach report by IBM and Ponemon Institute.

FMJ Extra - Safeguarding Resources

Perspective on power management

The advancing connectivity of devices accompanies a changing cybersecurity landscape that has already become more noticeable with breaches impacting systems in critical industries. Like HVAC units and other increasingly connected equipment, power management devices such as uninterruptible power supplies (UPSs) carry connected capabilities that enable integration with software, services and other IT infrastructure, enabling operators to manage and monitor them remotely.

These components must be secured just like any other critical network asset. The Cybersecurity and Infrastructure Security Agency and Department of Energy released a public advisory this past year regarding cybersecurity for internet-connected UPSs. The advisory urged organizations to take mitigation measures to protect UPSs and all other emergency power systems against potential threat actors.

While there are potential risks that come with enhanced connectivity, the good news is that cybersecurity technologies are becoming better tailored and more robust for networked IT ecosystems. Specific OEM cybersecurity expertise, secure development life cycle practices and strategic partnerships are resulting in powerful cybersecurity technologies for power management systems. Paired with the right processes and trained people, a sound cybersecurity strategy can safeguard systems from potential threats.

Strategies to safeguard equipment

Keeping pace with industry developments and ensuring products are compliant with the latest standards is essential. One critical development in this approach is the effort by global standards bodies to define processes and methods to certify products as secure.

Global safety standards organizations, including Underwriters Laboratories (UL) and the International Electrotechnical Commission (IEC), provide important guidelines for the implementation of appropriate cybersecurity safeguards in network-connected devices. Deploying UPSs with network management cards that carry UL 2900-1 and ISA/IEC 62443-4-2 certifications in distributed environments, such as network closets, can give operators peace of mind that their devices have built-in cybersecurity features and capabilities to better protect infrastructure against breaches.

As facilities manage a range of connected UPSs over a distributed network, many will seek to execute remote firmware updates to keep their devices up to date with the latest features. Because of this, facility operators should look for power devices that require cryptographic signature checks to update firmware to avoid cybersecurity risks. Operators should work with vendors that offer 24/7 monitoring across converged IT/operational technology (OT) environments as this can help add an extra layer of protection and visibility for critical infrastructure.

Facilities should leverage cybersecurity practices with connected power management devices in distributed environments just as they would other components within their IT infrastructure. This includes using firewall and industrial security solutions as well as encrypting information: hardening devices to only be able to operate as intended, conducting routine security assessments, regularly updating software and firmware (including antivirus definitions and antispyware), using advanced email filtering, establishing strong authentication and password policies with role based controls, deploying end point protection and integrating employee cybersecurity awareness training, as well as cybersecurity simulation through tabletop exercises.

While cybersecurity technology is understandably a primary focus of a facility’s protection strategy, physical security should not be overlooked. Using smart security locks on IT racks can also help ensure that only authorized personnel have access to IT equipment. Additionally, as the proliferation of smart, connected devices link together more elements of IT operations in distributed networks, it will be helpful to partner with technology and solutions providers that demonstrate an ongoing commitment in protecting against cybersecurity risks.

Maintain a steady defense

FMs who stay current with industry standards and leverage power management software that integrates cybersecurity best practices will be in a strong position to stay ahead of emerging threats. The importance of this approach has been on display in the aftermath of major vulnerabilities such as Ripple20, which put countless internet-connected devices in danger during the early days of the COVID-19 pandemic.

Although primarily developed to monitor and manage power devices – as well as gracefully shut down critical loads during outages – power management software can also be used to provide an inexpensive, highly viable air gap solution. This measure helps keep secure networks physically isolated from unsecured ones.

Power management software can integrate with Windows operating systems and common virtualization systems, which makes it easy for IT teams to automatically discover and monitor common power infrastructure and IT equipment. Some solutions can also be customized to trigger specific actions on a customized schedule in alignment with devices like UPSs and power distribution units (PDUs).

Secure the future

Many facilities are reaping the benefits of advancing interconnectivity and using connected systems and data to improve operational efficiency and make more intelligent, proactive decisions. However, with this transition comes the responsibility to ensure connected technologies are secure. Cybersecurity risks will continue to grow as new threats emerge and take aim at once inconspicuous components like power management technology. By taking proper cybersecurity measures to safeguard critical infrastructure, facilities will be better prepared to protect their network amid the ongoing evolution of increasingly connected IT environments.