The FCC has released a Public Notice encouraging communications companies using uninterruptable power supply (UPS) devices, as either a primary or backup power source, to review the Joint Cybersecurity Advisory. The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) have put together this advisory after receiving intel that bad actors have gained access to a variety of internet-connected UPS devices through unchanged default usernames and passwords.
CISA and DOE urge communications companies and critical infrastructure entities to immediately enumerate all UPSs and similar systems and ensure they are not accessible via the internet. They further state that when such devices must access the internet, there should be compensating controls in place.