11 April 2022

The CS141 as a gateway for UPS network devices and data

Every time another hacker attack story hits the media, the discussion around how to secure a high-security network against "malware / ransomware" reaches a new fever pitch -- and the resulting discovery always seems to be that under certain conditions, essential elements of an infrastructure are inextricably linked to network access:
How is one supposed to query an integrated UPS SNMP card with firmware from a source that is not 100% verifiable without using the device’s LAN port?

It’s a problem that is becoming increasingly important in the highly sensitive area of power supply: no server system can be expected to succeed without a functioning mains power concept. Experience shows that attacks are increasingly targeting precisely this infrastructure.
Firmware that could otherwise be assumed to negatively influence system integrity and security and which is designated as such by watchdog / government agencies does not give a good feeling of security per se – and such a flaw exists as such with all devices “made in China”. In addition, with an increasing number of different hardware options and configurations, each company wants to offer or pre-install its own biotope of "query and control software", which quickly makes the number of clients and software tools in the network confusing and otherwise overly complex. As a result, numerous individual ports have to be opened in the network, which can in turn serve to open up more gateways for hackers.

A network should therefore only have those ports open
that are really needed!

The solution here is to completely separate the heterogeneous hardware landscape from one's own high-security network and prohibit all network connections from unknown or untrusted sources – or, use the CS141/BACS as a functional Firewall!

Basically, all safety-critical infrastructures struggle with the same sort of problem: many manufacturers promote their own "complete system solutions" for "their" devices. In the UPS sector, however, certain “universal” standards have become established, such as SNMP RFC 1628, which every UPS manufacturer should theoretically  support. The CS141 has been using this "standardized" interface SNMP RFC 1628 for years to communicate with SNMP cards from other manufacturers.

The user only has to select "SNMP-UPS RFC 1628 compliant" as the model in the UPS configuration menu, and the CS141 takes over the SNMP data of the other card and simulates the direct connection via COM/USB.

This SNMP-UPS RFC 1628 communication mode allows the CS141 to be used as a "translator" in all environments where the “other” SNMP card does not meet the requirements of the administrators, or where the integration of this SNMP card into the network is not desired due to security concerns, for example.

In addition, the actual hardware itself is only passively queried, and thus there is no need to appear as a reachable network at all. How dangerous it is to make infrastructure hardware directly available accessible within a network is shown by this current article from March 2022: TLStorm ( article impressively shows why UPS systems in particular have become a central attack vector on an infrastructure.
As already described elsewhere in the newsletter, the CS141/BACS is known to belong to safest devices in the UPS market and thus also enjoys the most widespread usage, at least in the western world.
The reason for this strong reputation among end customers is not only the origin of the unit; besides being Made in Germany and Made in the USA, the technical “nitty gritty” details behind the CS141/BACS are the reason. The recently introduced SYSLOG and RADIUS functions in the CS141/BACS, together with the port release via EAP, provides the technical prerequisites for achieving this trust status with end customers and thus forms the ideal basis for continuing to operate both "insecure" network devices and simply obsolete network devices securely in modern networks.