The document introduces the group "We Are The Artillery" which uses open source intelligence (OSINT) techniques to discover and analyze industrial control systems with the goal of improving security. It outlines their OSINT process including discovery of assets through vendors, social media, conferences and more. It provides examples of systems they have analyzed and warns that critical infrastructure does not need to be publicly available to be discovered. The presentation aims to educate others and encourage more security for non-regulated utilities.

1. ================================================================================
| __ |
| / . ./ |
| .-. | | .:";'.:.." / |
| _.-' __/ (M^^.^~~:.'"). |
| _.-' - (/ . . . ) - |
| / _/ WE ARE THE ARTILLERY: |
| | _ /” Using Google Fu |
| | /_’ To Take Down The Grids |
| _/ ((| :. ~ ^ :. .|)) |
| """" - (- | / | /) - |
| - / /- |
| / / |
================================================================================

2. #WeAreTheArtillery
@chrissistrunk
-fluent in RS-232 and Kirchhoff’s Laws, #sockstatus,
#DJaaS, #NAPCON
@synackpwn
-spends most of his time in a hardhat and popping
MS08-067 in control systems
@krypt3ia
-An infamous curmudgeon blogging about national
security issues and OSINT

3. #WeAreTheArtillery
Born: 14 August 2014,
@essobi via Twitter
We’re I Am The Cavalry’s
little brother.

4. What to expect from this
presentation

5. Media Hype

7. IT’S A
QUILT

10. Public Information
Requirements and Oversharing
CRITICAL INFO doesn’t
have to be public...
BUUUUTTTTTTT

11. OSINT Process For ICS
+Discover:
Vendor – Asset Owner Press releases
Social Media (FB, Twitter, Flikr, Instagram...)
LinkedIn Bios (hardware, software, type of infrastructure)
Conference Presentations (Distributech, ICSJWG, etc)
Job postings
Open shares (TB drives on the internet shared out)
Open FTP servers (Anonymous)
Open misconfigured websites (lots of caches of documents)
Weeding (Using keyword searches and following the trail)

12. https://www.nrc.gov/docs/ML0932/ML093290424.pdf

13. A Word About Shodan

14. OSINT Process For ICS
+Pivot:
Engineering groups
(schematics, construction pictures)
RFPs and Contracts
Public information on capital projects or upgrades
Open Access Same-Time Information System (OASIS)
Maps (GIS)

15. Power lines

16. OSINT Process For ICS
+Context:
Vendor support portals
Application/configuration software
Firmware
Configuration/Admin/User Guides
SCRIBD
The perils of autoregistration

18. Firing for effect
How to make contact with
the pwn’d
Escalation procedures
best practices
(Contacting affected
persons/companies)

22. SCADA Engineers

23. @k1LL_sw17ch
Rockwell Automation PLCs
• Many online
• Serial number dump
• Reported to Rockwell
Unfortunately they don’t keep
track of what company gets what
serial number.

24. @krypt3ia
• Google dork led
directly into a
hydroelectric
dam’s internal
systems (NOT THE
ONE PICTURED)
• Google dork
nuclear facility
and found red
team report

26. What can be done
Go OSINT Yourself
and your company
Be open to random
warning emails
Some Security via
Obscurity would be nice

27. What can be done
Security education for
non-NERC/CIP utilities

28. @chrissistrunk @synackpwn @krypt3ia
@essobi @viss @da_667 @k1LL_sw17ch
@_pronto_ @munin @tothehilt & others…