Raritan PX4 Rack PDUs Pass Rigorous VAPT Security Testing

April 17, 2025

Data centers are increasingly targeted by cybercriminals aiming to steal sensitive information or cause major disruptions to critical systems. A recent PwC report highlights this alarming trend: the number of large-scale breaches is climbing, with 36% of companies reporting incidents costing over $1 million, up from 27% the previous year.

To defend against these growing threats, every component of a data center’s infrastructure must be designed with cybersecurity in mind.

As part of our commitment to provide the most secure and reliable rack power distribution products, we put our PX4 Rack PDUs through an independent third-party review for vulnerability and penetration testing. We partnered with CBIZ Pivot Point Security (CPPS), a third-party testing company known for its ability to challenge and determine if technology products meet industry best practices for digital security.

The Test
We partnered with CBIZ Pivot Point Security (CPPS) to conduct an IoT security assessment and Vulnerability and Penetration Testing (VAPT) on our PX4 Rack PDU and its embedded firmware. While our testing and quality teams strive to follow the industry’s best practices, review current vulnerability notices, and with other third-party tools, conduct our own vulnerability testing, we wanted to ensure that we're identifying and mitigating security risks and uncovering hidden weaknesses that may have been overlooked. 

As part of this initiative, we also asked CPPS to verify our compliance with California SB-327. This regulation requires reasonable security features should be available to protect devices from unauthorized access, destruction, use, modification, or disclosure. Our compliance requires users to, after the first product login, change the default password to ensure ongoing security once a device is installed. 

In addition, we specifically wanted CPPS to report on whether our products’ security measures were consistent with industry best practices outlined in the National Institute of Standards and Technology Interagency Reports (NISTIR) 8259. NISTIR 8259 is the second edition of NIST’s standard, “Foundational Cybersecurity Activities for IoT Device Manufacturers.” NISTIR 8259 recommends cybersecurity activities that manufacturers should perform before they sell their IoT devices to customers.

The Results
Following a broad scope of testing that covered device firmware, SDKs and APIs, cryptographic keys and digital certificates, device-to-device communications such as PDU linking and cascading, port security on the controller, and more, CPPS’ VAPT testing confirmed that the PX4 PDU is secured to a level that is consistent with both industry best practices and par with other tested peer devices. 

The CPPS tests validate our ongoing dedication to security throughout the engineering process of our rack PDU products. The full line of PX4 intelligent PDUs features the latest network security protocols, and the most diverse user authentication and management options, leveraging best-in-class data encryption methods.

One of the most valuable aspects of third-party cybersecurity testing is the actionable insight it provides. CPPS not only confirmed the strength of our existing security protocols but delivered recommendations for further hardening our devices (which we implemented!) as well as resolve any issues that may have been identified during the testing process. Our intelligent PDUs are continuously updated to ensure safety during deployment and meet the increased network security requirements in high-risk environments.
 
To further prove this point, our PDUs employ these security measures to protect our customers’ equipment, data, and networks:

• Encryption – As rack PDUs are connected to management networks and production networks, data sent or received by the PDUs is encrypted. PX4 PDUs enable secure communication by default and use the strongest encryption in the industry.
• Password Policies – With security measures available and implemented, passwords remain the most critical security components. PX4 PDUs provide several ways to ensure that passwords are strong and current. 
• Firewall – Intelligent PX4 PDUs can be accessed over the network for simple data collection, critical alert notifications, and power control. With systems and users accessing data from various corporate network segments, it is crucial to eliminate unauthorized access through the following means: IP-Based Access Control Lists (IP ACL) rules and Role-Based Access Control (RBAC) rules.
• Defense in Depth – Applicable PX4 PDUs are commonly used to remotely manage power infrastructure and servers. To ensure they are safe from network attacks, we implement security measures to keep our rack PDUs one step ahead of these threats. 
• Certificates – Digital certificates ensure that both parties in a secure connection are authorized users. As rack PDUs are increasingly accessed over public networks, using the latest most secure cyphers here, as well as being able to use CA certificates or self-signed certificates, your own certificates or certificates that are both created and signed on the PDU protect against man-in-the-middle attacks. 
• Hardware Root of Trust – To further ensure the foundation for secure operations, PX4 PDUs include Secure Boot features, ensuring the integrity and authenticity of the PDU's boot process and subsequent operations. Facilitated by the PDU’s onboard Secure Element cryptographic security module, should any of the PDU's firmware or file system validation fail, the PDU will immediately cut short the boot process without compromising the stability of the critical load, thereby ensuring that only authenticated, untampered firmware can run on the PDU.

With cybercrime on the rise and new threats constantly emerging, managing cyber risks can seem complicated. Our VAPT testing results have helped us prove our commitment to security and organizational technical controls. Raritan is one of the only PDU manufacturers participating in this type of third-party independent testing.

We have taken this additional time-consuming and expensive testing step to ensure our teams are risk-aware and continue to proactively identify and address weaknesses that may arise in our products. Other key initiatives include our recent ISO/IEC 27001 certification and government approval of USGv6-r1 capabilities—covering Core, SLAAC, Address Architecture, and IPv6-Only—validated through rigorous testing by the University of New Hampshire InterOperability Laboratory (UNH-IOL).
 
If you would like to learn more about our VAPT testing results or the features available to ensure the security of our PDUs, please contact us.