(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘ICS’ Category

ASSESSMENT: OSINT Reconnaissance of Power Systems

with 5 comments

Screenshot from 2014-01-09 14:09:34

Power Systems, Dams, Grids & The Internet:

Since the attack on the Natanz plant the acronym SCADA Supervisory Control and Data Acquisition Systems have been in the news as the next greatest threat to us all. Of course if you listen to the bulk of what people are saying out there in the news media you might be missing some salient points on just how vulnerable we all may be and not so much because someone is going to upload malware to a system in an “air gap” somewhere in Tehran. The fact is I now understand just how vulnerable we may be and most of the problem isn’t going to be some exotic string of ones and zero’s, but instead it will be due to a lack of OPSEC. Of course this report does not mean that there will be a cascade attack that will knock out power to the United States like some far fetched Discovery cable show. Instead this report is just a slice of what was discovered in a few hours of searching with Google and should give you an idea of just how available data that could be misused is out there. My intent here is to scare people nor is it (completely) to shame people but I find that in today’s news cycle much of the real truth to things gets cut out for smaller and sexier soundbytes.

OSINT Reconnaissance:

My reconnaissance tools were just a browser, my brain, and a bit of time. I used Google Fu to look up certain key words and phrases to seek out systems sharing out data that perhaps they were unaware of. In the case of all of the pictures below, these items were open to anyone who looked for them. There was no bypassing any kind of authentication here whatsoever, all you had to do was click and wait for the system to deliver the data and therein lies the biggest problem. In one case (data not shown here) I was able to locate a user online with not only diagrams but also SCADA passwords and ID’s in an excel sheet. That user was called and told that they were sharing and they took it offline (thanks to those who used their GV numbers and made calls anonymously, you know who you are…) and I am sure was more than a little freaked out after the call was all said and done.

Screenshot from 2014-01-09 13:25:38

Hydroelectric DAM SCADA

Screenshot from 2014-01-09 14:17:27

Gas Leaks & Repairs Sheet

Screenshot from 2014-01-09 14:27:42

SCADA DIAG Hydroelectric DAM

Screenshot from 2014-01-09 14:28:37

SCADA DATA & Connection + CDR’s

Screenshot from 2014-01-09 14:34:15

Live Diagram of Circuit to Substation

Screenshot from 2014-01-09 14:35:35

Another Live Diagram to Substation

Screenshot from 2014-01-09 14:38:53Diagram for Substation

Screenshot from 2014-01-09 14:41:42GAS Pipeline Maps Northeast

Screenshot from 2014-01-09 14:51:26

Full Diagrams for Electric Fencing and Facilities for Power Station (Southeast)

As you can see there is a lot out there and remember that an aggressive and determined individual or group could in fact collect quite a bit of data not only from the government sites but also the companies that run the grid, or the gas, or the water systems. Once again though, all of this data does not mean that there will be an epic “Fire Sale” from these data leaks. It does however make you wonder just how many people and entities (corps) lack such basic OPSEC as to allow these things to be placed out in the open for anyone looking for them to have. I will be widening the scope and working with the same individuals in the background to connect with the more egregious offenders and insure their data is no longer out there for the taking but my main goal here is to sound the warning.

The internet of things… Is full of “stuff” too.


If an adversary were looking to have a cascade effect attack like that postulated by the Chinese student then their first task would be to carry out reconnaissance on the power systems of the country they wish to attack. In the case of the US let’s say, it is easy enough to look up the Wiki on all of the companies here neatly listed out with their domains. Once you have this you can spider out and carry out the OSINT on all of them. Technically as well as logically, you can carry out the intelligence gathering on employees, systems, and overall target hardness just with Google. This is not really elucidated very often when you see these things in the news or you hear the president speak about the threats to the “grid” Of course now I want you all to realize that the threat is not only the Chinese Green Army or PLA warrior at the end of the keyboard but instead YOU Mr. plant manager with a shared out hard drive in your new Macbook.

So the extrapolation to make is that it’s not the end of the world but it is a problem. In fact, it could be pretty bad for certain places were this data to be used by the wrong people. Now do I think that the Chinese and others already have this data? Well the answer to that is yes, I do believe that since this stuff has been sitting around so long in directories open to the internet anyone with a plan probably has run a script and scraped all that data at some point. Will it be used in some massive attack? I don’t really think so necessarily. My reasoning here is that to really do it well it would have to be nation state and that state would have to be pretty crazy to have a fire sale given our interconnectedness today globally. Of course that doesn’t stop someone like the Kim Jun Un’s of the world from trying to go all Bloefeld on us all from some lair with sharks though.

Here’s the overall takeaway: People do stupid things. People who are not trained to think about their data security and access do doubly stupid things. So when you hear the government next time talking about how insecure our networks are and how the grid could be taken out by a foreign power who already have backdoors in our systems, just remember that much of that probably was easily obtainable through recon and OSINT use…


Written by Krypt3ia

2014/01/09 at 21:08

Posted in .gov, GRIDSEC, ICS, OPSEC, SCADA