Alms for the cyber poor: municipal water industry

The other day I was investigating a presentation by hackers of foreign origin. Their slide deck, which included references to finding Internet-connected SCADA, presented a screen shot of an HMI.

Old Boston City Hall

Close examination showed it belonged to a water treatment facility in the USA. I was concerned that it could mean attackers had gained access the the HMI over the Internet.

I looked up contact info for the water department at the municipality and shot off an email. I didn’t expect to get any response, as previous attempts with other organizations in similar situations had proved fruitless.

I was surprised when I got a call from the municipality’s IT director. Woot! Someone cared!

Most munis, and water in particular, are under-funded and under-staffed. Security is about bottom of the list. Simultaneously confirming, and dismissing my stereotype, the director told me that her very position had previously been a “parking” spot for policemen who needed something to do (AKA couldn’t be fired).

She thought that it might very well be a breach, and promised to look into it. Later that day, I got another call, this time from a plant engineer, who reported that the system integrator had posted numerous HMI screenshots of their plant to the public Internet — including the one in question.

He believed this to possibly be a breach of the NDA under which the work was done.

In some ways it was a relief. In others it was disconcerting.

Lessons learned:

  • There are munis that care
  • There are water people who care
  • Watch out for the integrators
  • Hackers of foreign origin are looking

Article on “spy” photographer

On October 30, 2014, the New York Times ran an interesting article on a student/photographer in Hong Kong, Dan Garrett. Mr. Garrett has been accused by the Chinese government of being “without any exaggeration a top-level spy”.

Dan Garret photo

From Dan Garrett’s Twitter

The article goes on to tell Garrett’s story, but it never really answers the question of whether he is a spy. In the article, Garrett, whose LinkedIn profile shows him as a former GS-15 with the State Department, is quoted as saying “I’m no James Bond”.

So, what is a spy?

I attended a public conference with former CIA director Michael Hayden. He told the story of an assignment he had in Europe (maybe Germany?) many years ago to ride the train and count the number of military vehicles he saw out the window. Was this spying?

I’ve heard government security analysts mention incidents of “photography” at industrial facilities. Is taking a photos the same as spying? Does it depend on the photographer’s intent? Does it depend on who pays the photographer? Does it depend on whether the photographer knew how the information “collected” could/would  be used? Does the nationality of the photographer make a difference?

I guess I’m really getting at two points: Under what conditions is your organization concerned about photography? How does your organization mitigate photographic and video graphic reconnaissance?

I would also simply note that there are lots of nice stills and even flyover videos of infrastructure facilities on the Interwebs… and more being added daily.