The world’s governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month.
But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a cybersecurity firm.
Social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure, said Sean McBride, senior threat intelligence analyst at iSight Partners. Among the valuable information he's found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.
"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don’t make an adversary’s job easier."
iSight has found numerous examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control room and video walk-throughs of facilities.
In addition to posting videos and photos on the Web, corporate websites can divulge valuable information to adversaries. For instance, organization charts or lists of employees with contact information accessible via the utility website are valuable sources of information for would-be attackers, says McBride.
These kinds of easily accessible images have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran’s uranium enrichment operation – what an expert once described as "intel to die for."
In 2011, industrial control systems expert Ralph Langner used an image of a SCADA control system monitor in one of the photos to match the configuration of the Natanz centrifuges to configuration information in the Stuxnet malicious software created to hobble the facility.
Today, McBride said that he and fellow researchers have used open-source information from media, government, and private sources to identify 15 facilities in the US that are critical to the operation of the electric grid.
McBride suggested that critical infrastructure operators think like hackers before posting photos online: "Ask yourself, 'What do my adversaries know about me and the organizations I support.' "