Organizations secure work phones and company laptops, but attackers could target the electrical current running through those devices. Direct current (DC) power regulation helps stabilize the energy powering electronics people use daily, from solar panels and connected cars to smartphones and essential computer parts. It's also vital across critical infrastructures, including telecommunications, industrial automation, and data centers. DC regulators provide stable voltage to prevent damage or, more concerningly, outages caused by power surges. The power ecosystem is becoming more complex as technology advances, opening a potential new attack vector. Many well-known attacks against DC power infrastructure are often viewed as unexplained physical damage, safety failure systems, and mysterious outages, but that may not be the case, says Andy Davis, global research director at NCC Group. Software vulnerabilities that could be exploited have been found in some newer, more sophisticated DC regulator models.[1]
Early in the industrial age, electrical power did not need to be well-regulated. Electricity just needed to power systems adequately enough to complete simple tasks, Davis explains. But IT systems have grown immensely more complicated over the years, requiring more power and experiencing greater voltage fluctuations. In addition, emerging technologies such as artificial intelligence (AI) and quantum computing are major electricity hogs. "The technology associated with making sure that the power is consistent, managed, and efficiently delivered has become more complex," Davis tells Dark Reading. "As a result, it's become part of the attack surface."
While power regulations have become increasingly important for managing increasingly complex ecosystems, they are "often overlooked security dependencies," Davis says. Potential concerns have crept into the IT industry, but awareness needs to expand because the layer can be attacked just like the systems it powers, he warns. Compromising a system's power flow can cause the same disruption as breaching the network. Regulators sit underneath the operating system (OS). Attackers could easily hide there, outside the layers that organizations monitor with anti-malware or antivirus systems, Davis says. "There's the potential to silently hide within infrastructure," he says. "[Threat actors] could create backdoors into the power-controlling infrastructure, rather than the infrastructure itself."
One of the biggest concerns is that people often view power issues such as unexplained physical damage, safety system failures, and mysterious outages as glitches, but not necessarily potential cyberattacks. That mindset could put organizations in jeopardy. Because regulators operate below the OS level, threat actors who successfully exploit and compromise devices can impact performance, trigger shutdowns, or even damage hardware without being seen, adds ExtraHop CISO Chad LeMaire. "These factors are making DC power regulators a more frequent and lucrative target for attackers looking to undermine an organization or create a window of downtime for other nefarious purposes," LeMaire stated.
Organizations can no longer consider regulators as passive components that simply deliver voltage. Many of them are now programmable, firmware-driven systems that control how devices physically operate, says NetRise SVP Gary Schwartz. The shift is reflected in real products, he adds. For example, semiconductor manufacturer STMicroelectronics ships programmable power devices with configurable behavior, and its ecosystem already appears in the National Vulnerability Database, with dozens of CVEs tied to firmware and supporting software.
"That's a reminder that once power regulation becomes software-driven, it inherits the same supply chain risk as any other code," Schwartz says. "The concern isn't just the presence of vulnerabilities; it's how quickly they can be exploited." Two categories of potential fallout exist. On the smaller side, attackers could exploit a single power regulator affecting multiple servers. If a threat actor attacks the power regulator that's supplying those servers, they could create denial-of-service (DoS) attacks, Davis warns. "If you ramp it up to a data center, it has a greater impact without having to attack multiple servers," he says. "There's potential for a large Denial-of-Service scenario."
Larger-scale issues that could harm people could occur if threat actors target operational technology (OT) safety-critical systems. A connected car with a power system controlling embedded computers within the vehicle is one example in which attacks could compromise physical safety, explains Davis. As Schwartz points out, unprotected power regulators could lead to supply chain risks. The components that make up complex power architecture may include third-party software or firmware, raising questions about how it was developed.
To get ahead of potential threats, organizations should essentially treat power regulation as part of their security architecture, Davis recommends. Regulators are often considered part of the background and are, therefore, taken for granted. Many times, power is monitored from a usage perspective, not a security perspective, and that needs to change, he says.
Organizations are already familiar with ways to improve DC power regulator security because they use standard protocols in enterprise networks, such as segmentation and monitoring. Enforcing cryptographic signing and secure boot mechanisms for power management software is another key element to defend against threats that manipulate DC power regulators and other hardware increasingly connected to the network, LeMaire advises.
It may seem like devices are just powering equipment, but that equipment has become more power-hungry. Complexity emerged from a drive for efficient power distribution. People are concerned about green energy and how efficiently it can be produced, Davis adds. "People need to be aware that the complexity brings additional threats and needs to be considered as part of the threat model," he says. "The overarching statement is around the risk of attackers using this potential vulnerability to hide in." Awareness needs to increase because the matter is only going to grow more complicated. "We're already seeing things like AI being used as part of power regulation," Davis says. "It's going to get more complex, for sure. People need to grapple with it right now."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/cyber-risk/electricity-growing-area-cyber-risk
Comments