Critical Intelligence launched a new — and unique — service offering for companies that own and operate critical infrastructure. It’s called ReconX.
It’s a different sort of offering from the myriad voices talking about risk consulting or security program building or penetration testing. ReconX is all about the concept of reconnaissance exposure.
What is Reconnaissance Exposure?
It is essentially a bench mark or baseline for the important question “what does an adversary reasonably know about how to attack me?”
Questions examined in the course of an assessment could include (among many others):
- Who are my key employees (to include ICS engineers and control room operators)?
- What contact details (including passwords) are public for my employees?
- What information are those employees leaking via LinkedIn or Instagram?
- Who are my key suppliers?
- What information about my company are those suppliers leaking via case studies on their Web sites?
- Who regulates me? What potentially sensitive or “useful” information exists in publicly accessible government databases about my company?
Examples of bad practice (AKA information leaks) are way more common than you might hope. Here’s a quick one:
A Chinese national attending a U.S. university did an internship at a major electric utility. Numerous details of a substation upgrade were written up as part of an “academic report” and posted to the world wide web.
Your quarterly penetration test is not likely to catch that — because that’s not the objective.