Modern field guide to security and privacy

Worried about cyberattacks on US power grid? Stop taking selfies at work

Experts warn that malicious hackers gain valuable insight when companies and employees reveal too much information on the Web – especially when they work at sensitive facilities. 

|
Reuters

The world’s governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month.

But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a cybersecurity firm.

Social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure, said Sean McBride, senior threat intelligence analyst at iSight Partners. Among the valuable information he's found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.

"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don’t make an adversary’s job easier."

iSight has found numerous examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control room and video walk-throughs of facilities.

In addition to posting videos and photos on the Web, corporate websites can divulge valuable information to adversaries. For instance, organization charts or lists of employees with contact information accessible via the utility website are valuable sources of information for would-be attackers, says McBride.

These kinds of easily accessible images have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran’s uranium enrichment operation – what an expert once described as "intel to die for."

In 2011, industrial control systems expert Ralph Langner used an image of a SCADA control system monitor in one of the photos to match the configuration of the Natanz centrifuges to configuration information in the Stuxnet malicious software created to hobble the facility.

Today, McBride said that he and fellow researchers have used open-source information from media, government, and private sources to identify 15 facilities in the US that are critical to the operation of the electric grid.

McBride suggested that critical infrastructure operators think like hackers before posting photos online: "Ask yourself, 'What do my adversaries know about me and the organizations I support.' "

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Worried about cyberattacks on US power grid? Stop taking selfies at work
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0115/Worried-about-cyberattacks-on-US-power-grid-Stop-taking-selfies-at-work
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe