Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he's found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems. (http://www.csmonitor.com/World/Passcode/2016/0115/Worried-about-cyberattacks-on-US-power-grid-Stop-taking-selfies-at-work)
"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don’t make an adversary’s job easier."
iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can divulge valuable information to adversaries like organization charts or lists of employees — valuable sources of information for would-be attackers, says McBride.
That kind of slip-up have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran’s uranium enrichment operation – what an expert once described as "intel to die for." (http://www.nytimes.com/2008/04/29/science/29nuke.html?_r=0)