SCADA "Selfies" a Big Give Away To Hackers (csmonitor.com) 54
chicksdaddy writes: The world's governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month. But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a report by Christian Science Monitor Passcode. Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is a wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he's found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.
"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don't make an adversary's job easier." iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can divulge valuable information to adversaries like organization charts or lists of employees — valuable sources of information for would-be attackers, says McBride. That kind of slip-up have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran's uranium enrichment operation – what an expert once described as "intel to die for."
"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don't make an adversary's job easier." iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can divulge valuable information to adversaries like organization charts or lists of employees — valuable sources of information for would-be attackers, says McBride. That kind of slip-up have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran's uranium enrichment operation – what an expert once described as "intel to die for."
Security through obscurity (Score:1)
Well, the two-edged sword once again.
On one hand it's not a good idea to build your security around the intruder not acquiring information. Sooner or later someones tongue will slip, especially if they are fired and have beef with the company.
On the other hand security through obscurity is another layer of protection. It's another step that an intruder has to step over and will stop most script kiddies.
Re: (Score:2)
Re: (Score:1)
yeah. for about 10 minutes.
Re: (Score:3)
It isn't really obscurity, it is a function of initial attack surface. You aren't trying to obscure the fact that John Doe works as a network technician in the controls division, but you are hoping to limit that as an initial attack vector, especially given Mr. doe's proclivity for going to the strip joint on his lunch break. But, if someone does subvert Mr. Doe, you do want the fact that Mr. Smith is responsible for network security audits of the control systems.
Likewise, giving out all the details of va
Why don't we intentionally spread bad information? (Score:2)
See: Human Health, Tobacco.
What a load of garbage (Score:5, Insightful)
may unwittingly reveal critical information that operators would prefer to keep secret
If you attacker is waiting only on the type of system you have installed to attack you then you are absolutely screwed. I don't know of any company that keeps that a trade secret. I know what control systems and safety systems are used in various nuclear facilities, even though I work in a different sector. The vendors will proudly tell you who has which system, sometime even telling you which model processor cards etc are used in other facilities. One control industry conference I attended a nuclear power operator gave a public presentation on how their control system is designed complete with full network layout, and exact make, models, and firmware revisions of control and safety components.
"Selfies" are truly the least of a company's concern. Especially low resolution Instagram crap. Is that a super fancy new Triconex safety system I see? Or is it one from the 80s, hard to tell because the designs still look the same.
Not quite (Score:3)
On another level, this is not complete garbage.
But it's all about the people there knowing what is a secret and what is not and more important: what is in plain view, is not a secret.
"SCADA selfies" could indeed be dangerous. But not because someone sees the model of the command console or a schematic of the power plant (which will 99% look like ANY OTHER plant).
The dangerous thing is the password written on the blackboard!
Ask TV5. They had their website CMS and social media accounts taken over (IIRC ISIS)
Re: (Score:3)
I'll start quaking in my boots over that one when vendors stop using hardcoded admin passwords and plants stop leaving default passwords in place. I attended a factory acceptance test once at a vendor. Evidentally from the recently open file list in the control program so did a competitor. So I wondered ... then I clicked ... then I typed the same password we used on our site into the competitor's file and bam, complete control logic for an entire unit of an oil refinery.
There's no need to write a password
Re: (Score:2)
At the absolute minimum, make the password the serial number. For example, one embedded device I used had its default PW exactly this. Or, like HP devices with the iLO password on a pull-out card, have the password on that. This way, one would need physical access to the server to glean the password.
Of course, the ideal would be an e-Ink display on the front of a device that has the password on it (either displayed, or displayable with a button push). When the device is hard reset and reloaded, said pas
Re: (Score:1)
It isn't just a password on a Post-It note. It could be anything in the picture. Reflections come to mind, showing what is behind the camera. Or, more esoteric things like the placement of air ducts. Even the type of lock on the door can give the enemy some actionable intel.
A good example of this was a company I interviewed at, which is no longer in business. The interviewer repeatedly bragged how they were "one hundred percent secure" with their electronic, biometric locks. Well, the doors were using
Re: (Score:2)
But again: the problem is not that a possible intruder would know about weak locks. The problem is relying on weak locks!
It is not quite security through obscurity, but it is the same golden rule that confirms that some cipher is working: Assume every detail about it is public. Following that approach will lead to a secure control room: Assume it is public. Assume everyone would know about the cheap locks. Assume anyone could see your post-its. Simply because outsiders WILL see it. no matter if it's a SCADA
Social Engineering (Score:2)
Re: (Score:2)
You're over thinking things. The physical security on most of these sites are so lacking that you don't need any of this information to get started.
The name of an employee with access to these rooms, where exactly he's working and some info about his job.
Still over thinking things. For the most part you can barely tell from these pictures if the person is a high level engineer or an electrical apprentice, much less required details that makes your convoluted approach a risk.
Throughout the industry:
- Sites have poor physical security.
- Sites have poor IT security.
- Sites have poor cyber security.
- Sites have poor
Re: (Score:1)
If you attacker is waiting only on the type of system you have installed to attack you then you are absolutely screwed.
I don't think anyone's suggesting that. They're saying that finding out what SCADA gear is installed at a particular location is one barrier to attack. Sure, you can go listen to a bunch of Schneider, Siemens, Rockwell, and Eaton trade show presentations or hope that their marketing literature mentions the big contract with Ginna Nuclear, but if their safety engineer posts a selfie from the control center, an attacker saves a lot of boring research.
It's like that ATM company a few years ago, so proud of t
Re: (Score:2)
hope that their marketing literature mentions the big contract with Ginna Nuclear, but if their safety engineer posts a selfie from the control center, an attacker saves a lot of boring research.
Hope is hope. There's no difference to hoping someone will tell you what system is in use compared to hoping someone will post a selfie with it. The research there is the same, and wildly more time intensive than a simple social engineering call to either the vendor or the site. My point is that people don't guard this information or consider it worth guarding and will happily give it out to just about anyone. You don't need a selfie for compromise when the information isn't kept secret.
Intel to die for? (Score:2)
Isn't that when you find the CPU in your nuclear missile command centre has a Pentium bug?
Re: (Score:2)
That's why we don't bother reading TFA. It doesn't change our minds, it doesn't change our comments. It doesn't make any difference if it is a Rick Roll.
TL;DR
The post-9/11 "hide wonders from the kids" blues (Score:5, Insightful)
Not to skim off the delicious prattle of hackers zooming in on clunky JPGs to reveal passwords written on post-it notes (on CSI they have ways to zoom down to pimple-hair level)... well of course it's possible, no duh... there's a phenomenon I'd like to point out I feel will have a more disastrous effect than terrorism.
Part of it arises from the modern invention of "adolescence", when children have become sentient and somewhat responsible but have years to go before that magic 18th birthday, when it becomes legally possible to drink, vote and be thrown out of the house --- all on the same day. For a good part of the 20th century after school care options were limited but this did not seem to be much of a problem, most suburban kids ran wild and made it home in time for dinner. And those without a stay-at-home parent might go home, but some would check in with or join their parents at work. It was not uncommon to see after-school children hanging around any workplace. Then through the 80s and 90s things changed, as what we now know as the 'helicopter parent' rose to power --- ironically --- children became more segregated from the adult world than ever before. There were now places to go after school where children could be supervised by adults, yet remain wholly disconnected from the adult world. Where the presence of children in the workplace was once considered a polite necessity, children are now all but dis-invited, by concerns of distraction or corporate liability or just plain meanness, take your pick. Late in the game campaigns like Take Your Daughter To Work (Or Your Son Too, Sorry About That) Day [wikipedia.org] came into being as some adults realized that society was being transformed by this segregation, but the novelty of a single day cannot replace the extent that youth had participated, or at least been aware, in the past.
Just as class trips give glimpses of the adult world, we must recall a time not so long ago when families took these trips too. As the world has gotten more paranoid and especially post-9/11, some of the most awesome wonders of the modern world are off-limits to children and adults alike. I recall the remarks of a gent who runs a nuclear power plant in Britain who sadly attributed the rise in irrational fear among the public to the (rather) sudden cessation of tours at the turn of the century, when groups once had been shown all areas and the kids were full of questions. And he is not alone, there has been a general lockdown of the more interesting and inspiring places in the industrial world, which stems from the simple question, "What's the worst thing a terrorist could do? Can we ensure that could never happen?" Not really, but we can lock doors and shut people out. That's a safe thing to do. At what cost though?
If all of your kids want to grow up to become video game designers, and no one seems to have any interest in running a refinery or keeping the power grid energized, and continue to act like children well into their adult years... then at least you should be able to figure out why. It has to do with the forced segregation of children and adults, and general lock-down of the inspiring wonders that the young could once have seen, for the price of a bus ticket.
We should be giving open tours again, not outlawing cameras. The future is at stake.
Re: (Score:3)
I remember taking a field trip in 4th grade to the local telephone central office. We toured the entire facility. I don't think I would be who/where I am today if I hadn't have taken that field trip. I had never seen so many different wires and connections and lights, and I wanted to know what they all did.
Today, the CO is a "domestic terrorist target" and as such is off limits to anyone, especially those pesky 10 year olds. You know they're all secret sleeper cells, right? Kids today are screwed, they
Re: (Score:2)
I remember taking a field trip in 4th grade to the local telephone central office. We toured the entire facility. I don't think I would be who/where I am today if I hadn't have taken that field trip. I had never seen so many different wires and connections and lights, and I wanted to know what they all did.
I had one of the most amazing nerd-childhoods in the 1970s growing up as a free range kid in St. Thomas in the US Virgin Islands. A total microcosm of modern infrastructure in a small area. My after-school jaunts might take me to the telephone exchange, a radio station where I could use the production room if it was free and the chief engineer would let me know if he was going to do work on the transmitter, the (self contained no grid) power plant, a central monitoring alarm company that also broadcast Muza
Re: (Score:3)
become video game designers, and no one seems to have any interest in running a refinery
As someone who has dabbled in the former I'm glad to be doing the latter. But you are 100% right, we live in a sad world without exposure to the amazing things around us. As kids we latch on to amazing world around us. Every international flight has left me wanting (briefly) to become a pilot after sitting in the cockpit and asking (what must have been to the pilots) an endless stream of questions about what each button does. Every time there was an open day at the brigade I left wanting to be a fireman. In
Re: (Score:2)
Re: (Score:2)
Well said. I will be forwarding this post to friends and family. And next time my son is off school, he is coming to work with me - no matter how bored he may get.
This was pretty dumb of the workers (Score:2)
I don't know. I mean I work at a place that requires some form of secrecy in the form of NDAs and only talk to your close family about what you do. My employer regularly looks at employee public facing social media to look for stuff like this because it's a big deal, and every year one idiot seems to get fired or suspended because of this. It's not out of the ordinary. Your employer hires you to do a job and while you're on their property you have to follow their rules. They even went so far as to make thei
Re: (Score:2)
No, we do processing for clients that compete with each other.
Utilities have exported the SCADA plans for years (Score:1)
This is the new generation of attack (Score:2)
I never expected our small org to be the recipient of a "spear phishing" attack but it was.
Apparently these scams are on the rise. The attacker takes the time to learn as much as they can about the org using public information. In our case, the "attacker" waited for the xmas holiday when she knew that people would be out of the office (and therefor have auto-replies set up) to harvest some e-mail addresses (complete with sigs).
Once she had that, she was able to create an e-mail that looked identical a norma
Magazine publishing (Score:2)
Is anyone else reminded of the old Playboy spread from the mid 90s that featured a model inside a DIGITAL data center? As I recall there was some butthurt about this at the time because there were supposed to be no cameras in that DC (and apparently there had been no permission given).
Though, in that case, it was just some pictures of server racks (and hers, of course) but its funny to cameras in datacenters coming up as (possibly) a real issue all these years later.
after a quick google search ... (Score:2)
security through bscurity is rubbish (Score:2)
The problem isn't selfies, the problem is poor maintenance, system design etc. This just gives the idiot who made the decision to connect the internet to the floodgate controller the ability to point his finger at someone else.
Its a simple rule don't directly connect your control plane to your windows desktop network that surfs the Internet. It's a bit like a toilet in the corner of your bedroom, undoubtedly convenient but a dumb idea.
Re: (Score:2)
A lot of this remote network upgrade was sold to remove the human side to a site or area. So now the open internet has been let deep into once restricted and air gapped locations that would have been be very secure.
The next rush is to upgrade security and sell or rent advanced systems to keep the same old networks secure.
For that marketing to work, real world press has