In early January of this year we discussed how selfies were undermining the security of our nation’s critical infrastructure. Then in late January the nation’s infrastructure security was a hot topic at the Davos conference.
Well, thanks to the white hat hackers at Red Team Security it looks as though the vulnerabilty of our infrastructure is once again being discussed publicly.
So, just how vulnerable is the US power grid? Watch and find out!
Last week we described how some workers at critical-infrastructure facilities were unwittingly undermining security by posting selfies to social media sites such as Instagram. The takeaway? Securing information and networks without literally “inviting” hackers in is difficult enough, so please be more careful.
Interestingly enough, according to a story in Fortune.com this week, world leaders attending last week’s Davos Conference are quite concerned about cybersecurity in general and with the vulnerabilities of critical infrastructure around the world in particular.
No surprise that critical infrastructure vulnerabilities would have a top-of-mind presence considering that a successful cyberattack on Ukraine’s electric utility grid had occurred just a few weeks prior.
That attack which took down a sizable portion of Ukraine’s power grid utilized the “Black Energy” malware according to the US Department of Homeland security. This is troubling on two fronts. First, because the attack was so successful and second because the same malware has been seen in the wild here in the United States.
The vulnerability of our own electric grid is such that General Michael Hayden, who served as director of both the NSA and the CIA, warned “of a darkening sky” over the U.S. power grid according to Fortune.
On August 14, 2003 much of the north east power grid went black for a period ranging from 7 hours to upwards of a week. The cause was ultimately linked to a fallen tree branch in Ohio. Thankfully, being August, the loss of power was largely an inconvenience and not life threatening. However, if a calculated cyberattack were launched in conjunction with an already occurring natural disaster such as last week’s epic snowstorm, thousands could potentially lose their lives.
The economic impact of a successful large scale north east grid attack could exceed $1 trillion according to Lloyd’s of London. To put things in perspective, the cost of the 2011 earthquake and tsunami in Japan was just $300 billion, while the cost of Hurricane Sandy was estimated $100 billion.
Perhaps more troubling is that the Nuclear Threat Initiative’s lastest report indicates that many civilian nuclear power plants are vulnerable to cyberattacks.
While you may not be able to prevent a large scale critical infrastructure attack you can prevent data loss and protect your own network. At Konsultek we specialize in developing custom security solutions that build upon world class hardware and software. Isn’t it time you took a fresh look at your security preparedness? Call us today to discuss innovative ways to making your network more secure.
Sage advice especially if your selfie stick gets the urge when you’re at work. It seems that most folks don’t think much about what else beyond themselves might appear in their selfie and this can lead to security breaches when those selfies, videos or publicity photos are closely examined by those with more malicious mindsets.
Here are a couple examples courtesy of nakedsecurity.sophos.com where innocent images divulged more than just a smile.
Back in 2012 the world was given a glimpse into the life of Prince William the RAF Search and Rescue helicopter pilot. Unfortunately it only took hours for those with keen eyes to spot the login details for the secure MilFlip system in the background.
Or remember when the 2014 FIFA World Cup security control room was photographed, where the Wi-Fi SSID and password (and an internal email address used to communicate with a Brazilian government agency) were clearly legible on the big screen. So much for security, eh?
Sean McBride, senior threat intelligence analyst at iSight Partners reports in an article on The Christian Science Monitor that he has found amongst other things online selfies posted to Instagram and Facebook that reveal details of critical infrastructure controls systems. More specifically, McBride indicates that these photos of SCADA systems (Supervisory Control and Data Acquistition) are revealing potentially sensitive information that shouldn’t be shared on the Internet.
According to McBride the selfie stick isn’t the only offender. As reported in The Christian Science Monitor, iSight Partners researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can offer a treasure trove of information for would be cyber-assailants as well. Employee contact information, images, videos, organization charts and other information can be pieced together to assist in a variety of attacks such as spear phishing.
Perhaps the most famous example of the perils of inadvertently publishing sensitive facility information comes courtesy of Iranian President Mahmoud Ahmadinejad’s press office.
The 48 images they published in 2008 were at the time described as “This is intel to die for,” by Andreas Persbo, an analyst in London at the Verification Research, Training and Information Center in a NY Times article.
The takeaway here is clear. In a world consumed with selfies and social sharing all employees, especially those involved in critical infrastructure, should think twice before snapping selfies and shooting videos while on the job. If you just have to document yourself be cognizant of who or what is in the background. For example, is that Post-It note on your peer’s monitor with his network access credentials in blue ink about to go hurling through cyber-space to a competitor, criminal or nation state?
It is difficult enough to keep hackers at bay when they have to brute force their way in. It is virtually impossible to keep them out when you unwittingly invite them in.
If you are interested in learning more about how custom prevention and detection solutions can help your organization navigate today’s connected world more safely, pick up the phone and give us a call. Or just hit us up on Instagram (just kidding!)!