Slashdot Mirror

← Back to Stories (view on slashdot.org)

SCADA "Selfies" a Big Give Away To Hackers (csmonitor.com)

Posted by samzenpus on from the no-pictures-please dept.

chicksdaddy writes: The world's governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month. But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a report by Christian Science Monitor Passcode. Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is a wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he's found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.

"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don't make an adversary's job easier." iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can divulge valuable information to adversaries like organization charts or lists of employees — valuable sources of information for would-be attackers, says McBride. That kind of slip-up have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran's uranium enrichment operation – what an expert once described as "intel to die for."

8 of 54 comments (clear)

  1. What a load of garbage by thegarbz · · Score: 4, Insightful

    may unwittingly reveal critical information that operators would prefer to keep secret

    If you attacker is waiting only on the type of system you have installed to attack you then you are absolutely screwed. I don't know of any company that keeps that a trade secret. I know what control systems and safety systems are used in various nuclear facilities, even though I work in a different sector. The vendors will proudly tell you who has which system, sometime even telling you which model processor cards etc are used in other facilities. One control industry conference I attended a nuclear power operator gave a public presentation on how their control system is designed complete with full network layout, and exact make, models, and firmware revisions of control and safety components.

    "Selfies" are truly the least of a company's concern. Especially low resolution Instagram crap. Is that a super fancy new Triconex safety system I see? Or is it one from the 80s, hard to tell because the designs still look the same.

  2. Not quite by bickerdyke · · Score: 2

    On another level, this is not complete garbage.

    But it's all about the people there knowing what is a secret and what is not and more important: what is in plain view, is not a secret.

    "SCADA selfies" could indeed be dangerous. But not because someone sees the model of the command console or a schematic of the power plant (which will 99% look like ANY OTHER plant).

    The dangerous thing is the password written on the blackboard!

    Ask TV5. They had their website CMS and social media accounts taken over (IIRC ISIS) after they broadcasted a few interviews shot in their newsroom - with the passwords written on a whiteboard so that the whole digital media team could access the accounts....

    --
    bickerdyke
    1. Re:Not quite by thegarbz · · Score: 2

      I'll start quaking in my boots over that one when vendors stop using hardcoded admin passwords and plants stop leaving default passwords in place. I attended a factory acceptance test once at a vendor. Evidentally from the recently open file list in the control program so did a competitor. So I wondered ... then I clicked ... then I typed the same password we used on our site into the competitor's file and bam, complete control logic for an entire unit of an oil refinery.

      There's no need to write a password on the wall then that same password is used in every installation regardless of company.

    2. Re:Not quite by castionsosa · · Score: 2

      At the absolute minimum, make the password the serial number. For example, one embedded device I used had its default PW exactly this. Or, like HP devices with the iLO password on a pull-out card, have the password on that. This way, one would need physical access to the server to glean the password.

      Of course, the ideal would be an e-Ink display on the front of a device that has the password on it (either displayed, or displayable with a button push). When the device is hard reset and reloaded, said password gets erased and re-generated. This way, the default password is always available, but there is no way, barring an OS level hack or physical access, for a remote intruder to guess that item.

  3. The post-9/11 "hide wonders from the kids" blues by TheRealHocusLocus · · Score: 4, Insightful

    Not to skim off the delicious prattle of hackers zooming in on clunky JPGs to reveal passwords written on post-it notes (on CSI they have ways to zoom down to pimple-hair level)... well of course it's possible, no duh... there's a phenomenon I'd like to point out I feel will have a more disastrous effect than terrorism.

    Part of it arises from the modern invention of "adolescence", when children have become sentient and somewhat responsible but have years to go before that magic 18th birthday, when it becomes legally possible to drink, vote and be thrown out of the house --- all on the same day. For a good part of the 20th century after school care options were limited but this did not seem to be much of a problem, most suburban kids ran wild and made it home in time for dinner. And those without a stay-at-home parent might go home, but some would check in with or join their parents at work. It was not uncommon to see after-school children hanging around any workplace. Then through the 80s and 90s things changed, as what we now know as the 'helicopter parent' rose to power --- ironically --- children became more segregated from the adult world than ever before. There were now places to go after school where children could be supervised by adults, yet remain wholly disconnected from the adult world. Where the presence of children in the workplace was once considered a polite necessity, children are now all but dis-invited, by concerns of distraction or corporate liability or just plain meanness, take your pick. Late in the game campaigns like Take Your Daughter To Work (Or Your Son Too, Sorry About That) Day came into being as some adults realized that society was being transformed by this segregation, but the novelty of a single day cannot replace the extent that youth had participated, or at least been aware, in the past.

    Just as class trips give glimpses of the adult world, we must recall a time not so long ago when families took these trips too. As the world has gotten more paranoid and especially post-9/11, some of the most awesome wonders of the modern world are off-limits to children and adults alike. I recall the remarks of a gent who runs a nuclear power plant in Britain who sadly attributed the rise in irrational fear among the public to the (rather) sudden cessation of tours at the turn of the century, when groups once had been shown all areas and the kids were full of questions. And he is not alone, there has been a general lockdown of the more interesting and inspiring places in the industrial world, which stems from the simple question, "What's the worst thing a terrorist could do? Can we ensure that could never happen?" Not really, but we can lock doors and shut people out. That's a safe thing to do. At what cost though?

    If all of your kids want to grow up to become video game designers, and no one seems to have any interest in running a refinery or keeping the power grid energized, and continue to act like children well into their adult years... then at least you should be able to figure out why. It has to do with the forced segregation of children and adults, and general lock-down of the inspiring wonders that the young could once have seen, for the price of a bus ticket.

    We should be giving open tours again, not outlawing cameras. The future is at stake.

    --
    <blink>down the rabbit hole</blink>
  4. Re:The post-9/11 "hide wonders from the kids" blue by clonehappy · · Score: 2

    I remember taking a field trip in 4th grade to the local telephone central office. We toured the entire facility. I don't think I would be who/where I am today if I hadn't have taken that field trip. I had never seen so many different wires and connections and lights, and I wanted to know what they all did.

    Today, the CO is a "domestic terrorist target" and as such is off limits to anyone, especially those pesky 10 year olds. You know they're all secret sleeper cells, right? Kids today are screwed, they're mentally DOA from all the nanny-state and helicopter parent garbage and there is no vision to the real world to break them out of it.

    It makes me very sad.

  5. Re:The post-9/11 "hide wonders from the kids" blue by thegarbz · · Score: 2

    become video game designers, and no one seems to have any interest in running a refinery

    As someone who has dabbled in the former I'm glad to be doing the latter. But you are 100% right, we live in a sad world without exposure to the amazing things around us. As kids we latch on to amazing world around us. Every international flight has left me wanting (briefly) to become a pilot after sitting in the cockpit and asking (what must have been to the pilots) an endless stream of questions about what each button does. Every time there was an open day at the brigade I left wanting to be a fireman. In highschool we fetishised the awesome incredible and unbelivable power of a 4cyl turbo engine, because it's about the most amazing thing available to us knowing full well that we won't be driving a ferrari anytime soon. 5 years later when I was surge testing a 30MW compressor train I think back at how childishly we giggled at the blowoff valve in the car while my ears were screaming at the sound of the blow-off valve on this compressor opening.

    I feel lucky I discovered this world. I didn't even know it existed going through school. My kids are going to know even less about it as it becomes a security risk to take any members of the public anywhere at all.

  6. Re:Security through obscurity by aaarrrgggh · · Score: 2

    It isn't really obscurity, it is a function of initial attack surface. You aren't trying to obscure the fact that John Doe works as a network technician in the controls division, but you are hoping to limit that as an initial attack vector, especially given Mr. doe's proclivity for going to the strip joint on his lunch break. But, if someone does subvert Mr. Doe, you do want the fact that Mr. Smith is responsible for network security audits of the control systems.

    Likewise, giving out all the details of various firewalls and packages used for different functions lowers the barrier for an attacker. Knowing what the helpline sticker on the SCADA workstation could be a goldmine...