Cybersecurity of Vital Importance for Critical Infrastructure!
When the 2019 – 2021 Corona pandemic hit, companies worldwide found themselves called upon to flexibly adapt on-the-fly for the implementation of "home office workplaces" within their broader network environments; in those confused days "cybersecurity" was still a relatively new word for many companies. That all changed pretty quickly – within a very short time it became clear that in order to function securely within the nebulous network environment of the new “home office” frontier, companies would need to overcome the hurdle of cybersecurity – and quickly, at that!
But the pandemic as a trigger for broader consideration of cybersecurity was nothing compared to the next cybersecurity threat that arose on February 24, 2022: with Russia's invasion of Ukraine, the world changed completely in terms of security policy. A notable uptick in cyberattacks on Western infrastructure and NATO partners occurred in the days following the war’s beginning, and as a result, Western organizations both large and small have made secure IT a top priority, applicable to all civilian and military users!
The continually developing economic conflict between the USA and China puts GENEREX and all other western IT companies in a historically special position: network products NOT originating from China have become the clear preference for all operators of western critical infrastructure!
Avoiding Chinese components is a philosophy GENEREX has followed for years. Of course, this decision in favor of Western manufacturing makes our products more expensive than the manufacturers competing with us, who do not hesitate to make “political maneuvers” with their pricing in order to gain access to key, target markets. With these arising threat scenarios the wind has clearly changed - GENEREX is one of the few remaining manufacturers from the western world producing network products for critical infrastructure in Europe and the USA; it’s thus no wonder that we’ve become the first choice in most data centers!
Already during the "Chip Crisis 2021-2022" this strategy has paid off in dividends - we were one of the few manufacturers who had no delivery problems in the face of supply loggerheads out of China. Our production was not without interruptions, but these were mostly due to logistical problems and the price poker of the manufacturers – the availability of components from our western distributors was never really endangered, if perhaps temporarily inflated in cost. The decision to manufacture almost everything ourselves has not only allowed us to survive this crisis but has made us the most important manufacturer for the supply of network equipment for critical infrastructure power supplies in the world!
That said, we’re not interesting resting on our laurels…
It is not enough to produce in Europe and the USA, and it is also not enough to have a certificate for a safety standard, e.g. IEC 62443-4-2 or UL 2900-1 or similar, as our competitors do. Such certificates effectively serve as trumped up production snapshots and may not be worth the paper it is printed on the very next day.
Cybersecurity can only be guaranteed if the latest rising security vulnerabilities are checked and guarded against, daily. If our product is affected - then the newly detected vulnerability must be closed – without negatively affecting the product's functionality!
In Germany, this oversight is provided by the BSI (Federal Ministry for Information Security); other European institutes such as the Spanish INCIBE (Instituto Nacional de Ciberseguridad) also provide vigilant supervision. These organizations track the reports of vulnerabilities in software products (CVE - Common Vulnerabilities and Exposures) and communicate these vulnerabilities in real-time to the varying concerned manufacturers. However, any user of our software can also report a vulnerability to us! For this we communicate between the users and official bodies and publish the vulnerabilities as CVE only when there is already a solution available for the problem – before hackers can exploit the vulnerabilities to cause damage. Such early communication between these organizations and us as manufacturer ensures that attackers only have such vulnerabilities in unmaintained systems that can be exploited – which is why we want to remind every user to install new security updates as soon as possible. Every firmware update that shows a "Security Update" in red color (visible in the version history / release notes of our products) provides such security updates.
We provide the following email addresses for vulnerability report submissions: firstname.lastname@example.org for Europe/Global and email@example.com for North America. We investigate any and all incoming reports and promptly deliver corrected versions as necessary via the download area of the GENEREX websites.
In addition, you can find a "Security"-specific link (https://www.generex.de/security) in the footer of our webpage for reporting or otherwise submitting queries related to the cybersecurity or robustness of our products. The link includes the above mentioned email address, as well as a GPG Key for necessary encryption.
Only recently we have delivered a security update version 2.12 for the UPS network devices "CS141" and for "BACS". This is a very extensive update and requires some changes, so we want to explain these novelties here and advise you as GENEREX partner to update your customers to this version (or following) urgently.
Firmware 2.12 Security Enhancements
With firmware update 2.12, as always, numerous updates and innovations have been introduced, but especially in the area of cybersecurity there have been numerous optimizations made. The following is a list of the most important changes regarding cybersecurity:
1. Non-essential system services have been pre-disabled
Originally, the CS141 was preset so that it could be put into operation as quickly as possible with little “additional” effort on behalf of the installer. We’ve now had to change that: in the future, only the services that are absolutely necessary for basic operation will run as pre-set. More advanced services will have to be activated by the user via the configuration interface, if required. This concerns Modbus, SNMP, BACnet, Syslog, Serial Trace. These changes to the standard setting are only valid for new devices and devices that are reset to the delivery status with a firmware update. For existing devices that already use these services, this will remain unchanged.
2. Cybersecurity Warnings / Notifications
The CS141 has received a new info area in its web interface – located on the left of the screen, below the logo – and will automatically provide notice in the future, for example, when the system is found to be using insecure or default passwords or other security-sensitive settings.
3. Downgrade-Lock as of Firmware 2.12
With Firmware 2.12 many security relevant changes have been made. Therefore we have decided to integrate a blocker with the Firmware 2.12 which prohibits a downgrade to "unsafe" firmware versions.
4. TLS 1.3 becomes Standard
One fundamental innovation is that, going forward, the CS141 will serve the specifications and guidelines of modern infrastructures with TLS 1.3. As long as TLS 1.2 is still used in networks, the CS141 remains compatible, but TLS 1.1 is switched off with the new firmware and can no longer be switched on.
5. Hardening Guide:
UPS systems or battery systems are rarely to be found in publicly accessible networks – mostly they make up a part of a "technology" network with restricted access from the outside. However, if it is necessary to install the critical infrastructure of a UPS and battery system in a public or otherwise vulnerable network, then it may be necessary to enact additional security measures not otherwise included within our standard protocol. For such situations we provide a description in the manual under "Hardening Guide" on how to configure the CS141 & BACS so that a hacker attack is almost impossible. For customers who want to make sure that their device is as secure as possible, we recommend to have a look into the CS141 user manual where the "Hardening Guide" chapter describes it.