E-rant

A long time ago, in a career far, far away, I worked at a government facility that was just way over the top on security.  We didn’t really do all that much – plus there are guards with guns guarding us while we really didn’t do that much.  They even had a firing range, holding cells, a protected area (with buffer zone) controlled by biometric access.  Nutty stuff.  One of the rules that I had previously thought overkill was that you couldn’t bring cameras in.  Why would anybody care what we could possibly take pictures of here?

While having lunch, I found out why that rule was in place.  Sitting here, in the Jovian bunker, getting my daily fix of security newsfeeds, lotto numbers, and lolcats, I came across a link to pictures of somebody’s control systems.  Interesting, I thought and started looking at them since I’m just kind of dorky that way.  There a dozen photos of various parts of the control system.  In fact, if you’re interested, here they are (“here they “were” – they’ve been removed since lunch, but I dug them out of my browser cache for you all to enjoy and posted them here).

Pictures.  So what?  They’re low resolution and a bit difficult to make anything out.  Well, web 2.0 and Search Engine Optimization was kind enough to bestow upon us “tagging“, whereby a social networking site can make content more relevant to searches by allowing (typically) users to provide a phrase that helps describe a blog post, video, movie, or other “user-generated content” (read:”useless crap”).  Tags are great – it’s nice to add words to media so that you can categorize and filter your own useless crap, and your mother-in-law and her gossipy bridge club buddies can more easily see where you work and you can prove to her once and for all that you’re not a freeloading bum milking her daughter for all she’s worth as she’s been saying for years now.   

The images are ok, but the really good stuff lies in the associated metadata contained in the handy tagging features (they’ve been removed from flickr.com since lunch, so you’ll have to go see what they look like in Google’s cache to see what the tag info was).

Start with the user account name:  Sarasota_itsd.   Florida, maybe?  Matches the map on the wall.  Then there are the picture titles that include “Carlton Office” and “SCADA”.   Google up “carlton office sarasota scada”, and the first page of results are about a water treatment plant.  More easy Googling and you find it located here, in high resolution.  And there’s the picture captions and the “tags” that imply they run Allen Bradley ControlLogix PLCs and the Dynac control system suite running on OpenVMS (likely complimented by DynView workstation software).  Compound that with the org chart hanging on the wall and one can extrapolate this is at a pretty modern, yet slightly understaffed water treatment facility.  The org chart which seems to show 12 engineers on staff that report to six executives is probably correct, since the satellite shows 14 parking spaces ‘round back with a dozen or so up front.  That’s also evidenced by the satellite picture taken at roughly noon (shadows facing due north) and that there are (apparently) only three personally owned vehicles in the lots.

A little more googling gives this handy brochure that shows you, yes, that big tank without a perimeter fence around it really is the tank that holds the clean water ready to go into the system.  And if you’re still unsure what you’re doing you can get a tour of the plant as well - but you have to arrange it in advance, since they only have a dozen or so people to run the plant across 24×7 shifts, which means you’ve got only two or three guys on per shift usually.

Just a teensy bit more resolution in those pics and you’d have their IP scheme, too, since they had that printed to the screen for some ludicrous reason on both their XP laptop, their DynView station, and their IBM thinkpad, all of whihc are sitting right next to their DLink b/g/n wireless router.  But no such luck, unless we can find those guys from the TV spy shows that can “enhance” any blurry image enough to know what religion a guy is.

I’m convinced: cameras in sensitive areas are a risk, but not nearly as big a risk as trusting your operations to some moron posting pictures to social networking sites.