I wanted to share an interesting observation from this past weekend. Though this does not relate to SCADA/ICS, it does demonstrate just how trusting people are.
This past Friday, I had tagged along with my wife as we went to Wal-Mart for our weekly shopping. Following the general shopping, she wanted to go and check out some clothing for everyday around-the-house activities.
As she went shopping for her own reasons, I decided to go up front near the chasier’s registers, plopping down on one of the bench seats, just ‘people watching’.
During this time frame, there were 3 circumstances that support my premise about people being way too trusting. Allow me to elaborate this further.
One woman, a mother, had two children with her; a son and a daughter. She stopped by the restrooms, telling her son to hurry up, while she and her daughter went to relieve themselves. While this activity was happening, she left the cart — fully loaded with groceries, clothing for her children, and whatnot — sitting nearby the restroom entrances. They weren’t back until a good 2 minutes later — more than enough to someone to walk by and take the cart outside with them.
Another woman with her daughter, also pulled up to the restroom. Both of them went inside to relieve themselves — similar to the previous situation. The one significant difference is — she left her purse within the shopping cart. I’ll repeat this for effect — her purse.
Another situation involved a father and his son, also near the restroom entrances, to relieve themselves. In this circumstance, his cart was laden with multiple cartons of craft beers, probably for a Friday-night game with the guys. Once he and his son came out, he nodded subtly to me — probably to thank me (perhaps) for watching his shopping cart.
Many people know that I have an almost menacing appearance that commands either respect or fear. Though I am not associated or affiliated with law enforcement, I can only imagine that the father may have thought that I was an off-duty police officer, or an undercover asset protection guard.
For the record, I had said nothing to any of the parents going into the restrooms with their children. I was not wearing a badge, wore any clothing (hat included) to indicate that I was an undercover asset protection guard, or for that matter, even law enforcement. I gave no indication to any of these parents that I was trustworthy, or should be commanding trust in any way.
They simply determined that I was trustworthy simply based on appearance.
Now…how does this pertain to SCADA/ICS environments?
Several thoughts cross my mind when thinking of implied or inferred trust simply based on appearances or operation. Because I was present near the restroom, those parent inferred that I was trustworthy — much to the same way that many asset owners would consider their ISP, their system integrator, or even their own site administrators. The fact is, just because someone simply appears to be trustworthy is no reason to forego challenging that individual who’s not normally in a location that they usually are not; henceforth, why DHS has pushed the motto, “If you see something, say something.” Meaning, if someone or something appears out of place, report it. If the individual has a valid reason to be performing the work that they’re doing, if someone were to challenge them, and could produce some form of proof, even if it were an inconvenience for them, this ensures (at least) there exists a “checks ‘n balances” approach.
If more asset owners perform this simple, but effective check, this would greatly reduce many of the insider threats and attacks against our critical infrastructures.