SCADA "Selfies" a Big Give Away To Hackers

chicksdaddy writes: The world's governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month. But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a report by Christian Science Monitor Passcode. Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is a wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he's found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.

"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don't make an adversary's job easier." iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can divulge valuable information to adversaries like organization charts or lists of employees — valuable sources of information for would-be attackers, says McBride. That kind of slip-up have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran's uranium enrichment operation – what an expert once described as "intel to die for."

What a load of garbage

[thegarbz]

may unwittingly reveal critical information that operators would prefer to keep secret

If you attacker is waiting only on the type of system you have installed to attack you then you are absolutely screwed. I don't know of any company that keeps that a trade secret. I know what control systems and safety systems are used in various nuclear facilities, even though I work in a different sector. The vendors will proudly tell you who has which system, sometime even telling you which model processor cards etc are used in other facilities. One control industry conference I attended a nuclear power operator gave a public presentation on how their control system is designed complete with full network layout, and exact make, models, and firmware revisions of control and safety components.

"Selfies" are truly the least of a company's concern. Especially low resolution Instagram crap. Is that a super fancy new Triconex safety system I see? Or is it one from the 80s, hard to tell because the designs still look the same.

The post-9/11 "hide wonders from the kids" blues

[TheRealHocusLocus]

Not to skim off the delicious prattle of hackers zooming in on clunky JPGs to reveal passwords written on post-it notes (on CSI they have ways to zoom down to pimple-hair level)... well of course it's possible, no duh... there's a phenomenon I'd like to point out I feel will have a more disastrous effect than terrorism.

Part of it arises from the modern invention of "adolescence", when children have become sentient and somewhat responsible but have years to go before that magic 18th birthday, when it becomes legally possible to drink, vote and be thrown out of the house --- all on the same day. For a good part of the 20th century after school care options were limited but this did not seem to be much of a problem, most suburban kids ran wild and made it home in time for dinner. And those without a stay-at-home parent might go home, but some would check in with or join their parents at work. It was not uncommon to see after-school children hanging around any workplace. Then through the 80s and 90s things changed, as what we now know as the 'helicopter parent' rose to power --- ironically --- children became more segregated from the adult world than ever before. There were now places to go after school where children could be supervised by adults, yet remain wholly disconnected from the adult world. Where the presence of children in the workplace was once considered a polite necessity, children are now all but dis-invited, by concerns of distraction or corporate liability or just plain meanness, take your pick. Late in the game campaigns like Take Your Daughter To Work (Or Your Son Too, Sorry About That) Day came into being as some adults realized that society was being transformed by this segregation, but the novelty of a single day cannot replace the extent that youth had participated, or at least been aware, in the past.

Just as class trips give glimpses of the adult world, we must recall a time not so long ago when families took these trips too. As the world has gotten more paranoid and especially post-9/11, some of the most awesome wonders of the modern world are off-limits to children and adults alike. I recall the remarks of a gent who runs a nuclear power plant in Britain who sadly attributed the rise in irrational fear among the public to the (rather) sudden cessation of tours at the turn of the century, when groups once had been shown all areas and the kids were full of questions. And he is not alone, there has been a general lockdown of the more interesting and inspiring places in the industrial world, which stems from the simple question, "What's the worst thing a terrorist could do? Can we ensure that could never happen?" Not really, but we can lock doors and shut people out. That's a safe thing to do. At what cost though?

If all of your kids want to grow up to become video game designers, and no one seems to have any interest in running a refinery or keeping the power grid energized, and continue to act like children well into their adult years... then at least you should be able to figure out why. It has to do with the forced segregation of children and adults, and general lock-down of the inspiring wonders that the young could once have seen, for the price of a bus ticket.

We should be giving open tours again, not outlawing cameras. The future is at stake.