When workers at infrastructure facilities post selfies that show the operations’ inner workings, they’re handing vital intelligence to attackers, one expert has warned.
Think back to the photos of Prince William when he was an RAF Search and Rescue helicopter pilot: as you might recall, there were login details written on a piece of paper that was pasted over his head for all to see.
Or the proudly-presented video shot inside the 2014 FIFA World Cup security control room, where the Wi-Fi SSID and password (and an internal email address used to communicate with a Brazilian government agency) were clearly legible on the big screen.
Sean McBride, senior threat intelligence analyst at iSight Partners, told participants at the S4 conference in Miami last week that he’s found similarly cringe-worthy selfies on Instagram and Facebook that reveal details of SCADA systems, as the Christian Science Monitor reports.
SCADA, which stands for Supervisory Control and Data Acquisition, is a system for remote monitoring and control that operates with coded signals over communication channels that include the internet, with all the mischief-makers and malfeasance that portends.
SCADA ties together a slew of vital physical infrastructure: from power, oil, and gas pipelines to water distribution and wastewater collection systems.
These systems were initially designed to be open, robust, and easily operated and repaired, but security has often been left out of the picture entirely.
McBride said that his company has found numerous examples of SCADA selfies at sensitive facilities that could unwittingly reveal critical information that operators would prefer to keep secret.
For example, iSight has come across panoramic pictures of control rooms and video walk-throughs of facilities, McBride said.
Beyond whatever treasure trove Instagram might yield up to adversaries, corporate websites can also be guilty of oversharing, McBride said, with their plethora of publicly available organization charts or lists of employees with contact information.
McBride says that iSight researchers have found enough publicly available information from media, government and private sources to identify 15 US facilities critical to operating the country’s electricity grid.
Intriguingly, as the CSM points out, the creators of the Stuxnet malware (which is thought to have been designed to infiltrate Iran’s uranium enrichment facilities) are said to have relied on an image of a SCADA control system monitor to figure out the configuration of the facility’s centrifuges.
The source of the image: a series of 48 photos depicting President Mahmoud Ahmadinejad’s tour of the desert site, released by the country’s own government.
McBride’s emphasis on the sensitive information being spilled in selfies adds on to an established set of worries about SCADA’s susceptibility to malicious attack.
The concern is often associated with lack of secure coding found in industrial control systems – specifically, the lack of attention to building security into the code that goes into the Internet of Things (IoT) and SCADA.
Do we really need to add security-threatening selfies to the mix?
Apparently, we do.
The takeaway: don’t hand potential attackers the information they need to kick the knees out of a critical SCADA facility.
The CSM quotes McBride:
No SCADA selfies! Don’t make an adversary’s job easier.