Server Technology PRO4X Rack PDUs Ace Third-Party VAPT Security Testing

Cybercriminals relentlessly target data centers to steal personal data or shut down and disrupt vital networks. According to a recent analysis by PwC, mega breaches are increasing in number and scale: the proportion of businesses that have experienced a data breach exceeding US $1 million has increased significantly year over year, from 27% to 36%.

That’s why every inch of a data center’s infrastructure must be rigorously prepared to withstand cyberattacks.

In an ongoing effort to provide the most secure and reliable data center rack power distribution products, we subjected our PRO4X Rack PDUs to an independent third-party review for vulnerability and penetration testing. To this end, we engaged CBIZ Pivot Point Security (CPPS), a third-party testing company recognized for its ability to challenge and determine if technology products meet industry best practices for digital security.

The Test

We asked CPPS to conduct an IoT security assessment and vulnerability and penetration test (VAPT) against the PRO4X Rack PDU and its embedded firmware. While our testing and quality teams strive to follow industry best practices, review current vulnerability notices, and with other third-party tools, conduct our own vulnerability testing, we wanted to ensure that we're identifying and mitigating security risks and uncovering hidden weaknesses that may have been overlooked.

We also asked CCPS to validate our compliance with California SB-327, which stipulates that reasonable security features should be available to protect devices from unauthorized access, destruction, use, modification, or disclosure. Our compliance requires users to, after the first product login, change the default password to ensure ongoing security once a device is installed.  

We also specifically wanted CPPS to report on whether our products’ security measures were consistent with industry best practices outlined in the National Institute of Standards and Technology Interagency Reports (NISTIR) 8259. NISTIR 8259 is the second edition of NIST’s standard, “Foundational Cybersecurity Activities for IoT Device Manufacturers.” NISTIR 8259 recommends cybersecurity activities that manufacturers should perform before they sell their IoT devices to customers.

The Results 

After a broad scope of testing, including device firmware and the device’s SDK and APIs, cryptographic keys and certificates, device-to-device communication (e.g., PDU linking and cascading), port security on the Controller, and more, CPPS’ VAPT testing confirmed the PRO4X PDU is secured in a manner consistent with both industry best practices and on par with other tested peer devices. 

The CPPS tests confirm our commitment to security when engineering our rack PDU products. Our full line of PRO4X intelligent PDUs includes the latest network security protocols and the most diverse user authentication and management options, leveraging best-in-class data encryption methods. 

The beauty of this type of testing is that the end user (us) is given additional recommendations on how to further secure our devices (which we implemented!) as well as resolving any issues that may have been identified during the testing process. Our intelligent PDUs are continuously updated to ensure safety during deployment and meet the increased network security requirements in high-risk environments.

To further prove this point, our PDUs employ these security measures to protect our customers’ equipment, data, and networks:

• Encryption – As rack PDUs are connected to management networks and production networks, data sent or received by the PDUs is encrypted. PRO4X PDUs enable secure communication by default and use the strongest encryption in the industry.
  
  
• Password Policies – With security measures available and implemented, passwords remain the most critical security components. PRO4X PDUs provide several ways to ensure that passwords are strong and current.
  
  
• Firewall – Intelligent PRO4X PDUs can be accessed over the network for simple data collection, critical alert notifications, and power control. With systems and users accessing data from various corporate network segments, it is crucial to eliminate unauthorized access through the following means: IP-Based Access Control Lists (IP ACL) rules and Role-Based Access Control (RBAC) rules.
  
  
• Defense in Depth – Applicable PRO4X PDUs are commonly used to remotely manage power infrastructure and servers. To ensure they are safe from network attacks, we implement security measures to keep our rack PDUs one step ahead of these threats.
  
  
• Certificates – Digital certificates ensure that both parties in a secure connection are authorized users. As rack PDUs are increasingly accessed over public networks, using the latest most secure cyphers here, as well as being able to use CA certificates or self-signed certificates, your own certificates or certificates that are both created and signed on the PDU protect against man-in-the-middle attacks.
   
• Hardware Root of Trust – To further ensure the foundation for secure operations, PRO4X PDUs include Secure Boot features, ensuring the integrity and authenticity of the PDU's boot process and subsequent operations. Facilitated by the PDU’s onboard Secure Element cryptographic security module, should any of the PDU's firmware or file system validation fail, the PDU will immediately cut short the boot process without compromising the stability of the critical load, thereby ensuring that only authenticated, untampered firmware can run on the PDU.

With cybercrime on the rise and new threats constantly emerging, managing cyber risks can seem complicated. Our VAPT testing results have helped us prove our commitment to security and organizational technical controls. Server Technology is one of the only PDU manufacturers participating in this type of third-party independent testing.

We have taken this additional time-consuming and expensive testing step to ensure our teams are risk-aware and continue to proactively identify and address weaknesses that may arise in our products. Other key initiatives include our recent ISO/IEC 27001 certification and government approval of USGv6-r1 capabilities—covering Core, SLAAC, Address Architecture, and IPv6-Only—validated through rigorous testing by the University of New Hampshire InterOperability Laboratory (UNH-IOL).

If you would like to learn more about our VAPT testing results or the features available to ensure the security of our PDUs, please contact us.