Hackers can Use Internet Search to Take Down Utilities, Other Companies

Search engines help hackers find sensitive information to help take down a target, Ashland said. Search engines have streamlined cyber-reconnaissance and let hackers find relevant, obscure and sometimes sensitive documents on the web. Armed with the right information and tools, a hacker can compromise the most efficient organizations and utility operations and cost them millions, she said.

Social engineering attacks should be a concern for utilities and other companies, Ashland said. These attacks use information readily available on the Internet to convince employees to surrender crucial information. For example, “regulatory hearings and legal actions give hackers everything they need to know,” Ashland said. “They will use the detailed information about the company, and then pose as a company representative to obtain secret information over the phone,” she said. Corporate websites often provide “low hanging fruit” such as hearing documents, information from regulatory bodies, investor relations documents and public records that often make public too many details, she said.

Other websites also expose sensitive information about companies’ operations. Organizations affiliated with a company such as vendors, job sites, and trade journals often publish inside information. Govt. agencies require that hearings, filings and applications which show maps, grids, and detailed descriptions of an organizations infrastructure are made available.

Patent filings databases are a jarring example of how the most secure and sensitive information can be disclosed. Ashland showed examples of patent diagrams she found on www.uspto.gov that gave the precise schematics of a nuclear fission reactor. Other examples of critical information available online were: (1) Financial and operating results, which lay out the costs of projects, and lawsuit information. (2) Budget and project plans, which often provide maps and detailed plant plans. (3) Descriptions of operations, which provide statistics on customers, employees and infrastructure layout.

Crucial network information such as domain registration and IP addresses can sometimes be acquired through services on the Internet, Ashland said. Armed with this information, hackers have developed ways to acquire administrative access that allows them to view and possibly manipulate the most critical elements of a company’s operation.

Weaknesses in port connections and services can also provide hackers with access to vital information. This is especially the case when an organization hasn’t properly separated its internal network systems from portals that support public access. Organizations with automated supervisory control and data acquisition systems are sometimes tied into TCP/IP connections, which may be connected to corporate networks. “TCP/IP connections must be protected, physically and logically” to prevent intrusion, Ashland said.

Corporations and utilities shouldn’t “abandon all hope,” said Ashland -- there are ways to prevent the leak of sensitive information on the Internet: (1) Look for and correct data leaks. (2) Conduct image searches to make sure there are no maps or images of locations or systems that shouldn’t be available to the public. (4) After a site is secured, make sure links to archived and cached information aren’t available. (5) Ensure that the IR, HR, legal and communications departments get security approval for all documents released. (6) Anonymize network domain and IP registrations. - Bryce Baschuk