From Curiosity to Critical Infrastructure with Open Source Intelligence
Caitlin Sullivan shows you how she went from curiously exploring open source information to gathering open source intelligence for operational technology
👋 Welcome to a featured issue of The OSINT Newsletter. In this issue, Caitlin Sullivan shares her journey from curiously searching for classmates online to gathering information about critical infrastructure. She covers operational technology (OT) terminology as well as tools, tactics, and techniques for OSINT.
🙏 I wanted to say thanks to everyone who has submitted content so far. There’s such a wide range of use cases for open source intelligence. I’m learning a lot just by interacting with the community. A special shout out to Caitlin for putting together this awesome, unique guide for OSINT in OT/ICS.
🚨 This issue will be free for all subscribers. This issue discusses a lot of pitfalls in operational security. Because security is a mindset and building a culture of security is difficult, I wanted to make sure this reached the widest audience possible.
🪃 If you missed the last few contributor issues of The OSINT Newsletter, here are a few links so you can catch up.
Let’s get started. ⬇️
As an avid enthusiast for OSINT, I find fulfillment in the art of uncovering, harvesting and piecing together publicly available data to build a tapestry of information. To my surprise, this hobby has merged seamlessly with my professional role as a threat hunter within intricate Industrial Control Systems (ICS) environments, where the ability to anticipate, detect, and mitigate potential threats makes or breaks an analyst.
In the complex and often opaque realms where ICS operates, the skills honed through my OSINT pursuits - such as data mining, digital forensics techniques, and the accurate assessment of critical information - become indispensable tools. By blending OSINT methodologies with the domain knowledge of ICS security, I am better equipped to foresee attack vectors, understand adversarial tactics, and protect sensitive infrastructure against the sophisticated threats that characterize the modern cybersecurity landscape.
This overlap not only solidifies my career choice but also feeds my intellectual curiosity and the desire to remain at the vanguard of security research and operational readiness.
Everyone who enjoys OSINT has a trophy moment (or war story). My earliest trophy moment was in my freshman year of college. My friend who was going to another university about an hour away from me told me she was crushing on a classmate in her sociology class. She only knew his first name. Using some OSINT skills and techniques I have honed over time, I was able to provide all social media handles, what fraternity he was in, what his major was, his birthday, etc.
The dopamine of my friend’s shock and awe was enough to make me think, Okay, step it up. How difficult can you make this for yourself? I eyed a dude who sat three rows in front of me every week in my 200-student calculus class at my 22k-student university. I did not know his name. Again, I found all social media handles, including his high school sweetheart, found he was on the honor roll, the small town in rural Kentucky he grew up in, etc.
So how did I go from being a little too curious in my free time, to finding critical infrastructure crown jewels using native OSINT techniques?
Let’s chat.
Terms and Tools
Before I move on though, I’ll break down a couple of terms. NativeOSINT - this is a term I use to refer to open source information gained with minimal use of third-party tools. This means no scrapers, no bots, no scripts, no AI. Just you and your brain, some Google fu… and a couple of online resources.
Why do I do this? It's not because we don’t need the aforementioned tools - if you can automate it, that's saving the analyst brain power for the stuff that matters and I will always be for those efficiencies. Automate anything binary decision a computer can handle, leaving the analyzing to humans.
The primary reason I like to go “toolless” sometimes is the pure fun of it, and the mindset of learning how tools work before employing them so that you know how to react or respond if a tool doesn’t work as expected is sadly a dying breed in the field. I want to see how much information can be found by the average person whether they’re technically inclined or not and if they know where to look. What information, without technological loopholes, can be found point blank- aka low-hanging fruit?
The reason I want to focus on native OSINT here when we are discussing OT and critical infrastructure, is I want to do my best to show folks the reality that knocked my socks off - we’d assume that because a piece of technology is pivotal for our society to function that it must be more protected, right?
Sadly, that is not always the case. So with minimal help today I'll show you what’s sitting out there on the internet for free regarding the technologies and processes that keep us all safe with access to clean water, allow the lights to be turned on, and process every product we’ve come to rely on today for an amazing quality of life.
If I do my job right, you’ll potentially lose 30 min of sleep tonight, so I apologize in advance.
What is Unique About Operational Technology?
So, what is OT? And how would OSINT in an OT environment differ from that in an IT environment?
OT and IT are not always two distinct things, but we can group portions of these different environments into categories to understand their purposes in an organization - do the assets on each network serve the enterprise and its infrastructure or rather the process and its operations?
When looking for OSINT based on OT networks the biggest differentiator is the customer driving the search. Does the customer serve a sector of critical infrastructure? That doesn't mean we don't care about their enterprise environment, because the enterprise is often the gateway into the lower level control networks, but rather we are focusing on the potential, and likely, end goal of the adversary - to disrupt and potentially inhibit processes that keep our lights on and our water clean.
No environment is the same but there are sector-specific and industry-specific commonalities.
What is a “Crown Jewel’ in an OT environment and how does this relate to OSINT? A Crown jewel, within an OT environment, is anything that is vital to critical operations. In essence, if you can answer the question, ‘On a really bad day, what loss of communication, visibility, or system interaction would mean critical loss of revenue, operation time, or even life?’, you can begin to pinpoint what crown jewels keep the system operating as it should.
Asking the Right Questions
Now, knowing the criticality behind information and the fact that critical OT process information in the wrong hands can lead to loss of life - not something we normally have to worry about when it comes to IT breaches - we can dive into some tenants of OT environment OSINT. We must ask ourselves a couple of baseline questions.
First, a question that is OSINT agnostic:
‘How can I, as an adversary, find out as much as I can about … without touching the environment itself?’
Customer processes - data points/weaknesses / prized possessions
Internal tools - manipulation/weakness
Social engineering techniques based on employee data
What does a normal day look like in the environment?
What does a bad day look like in the environment?
Now, let’s narrow our sights down to OT environments: Whose environments are we curious about? - sectors of critical infrastructure. And who then, is the biggest provider of information about their environment? - not too different from classic IT OSINT: The company itself and its employees.
Chemical
Commercial facilities
Communications sector
Critical manufacturing
Dams
Defense
Emergency services
Energy
Financial services
Food & agriculture
Government facilities
Healthcare / public health
IT
Nuclear
Transportation
Water/wastewaters
The ‘what?’ here is a mix of what one might look for when it comes to IT environment OSINT, and OT-specific data sources:
Maps - Geographical and building setup, plant maps
Employee names, titles, emails (email format, domains), IDs, PPE, shift times
Future plans, local government PDFs
Project management documentation
Hardware & software
Processes; set points / data points of processes
How internal groups interact
Network architecture
Looking in the Right Places
Now for the where and the how. Again, we are going to focus on tool-less / ‘old school’ OSINT techniques to find ‘Low Hanging Fruit’ on OT OSINT data. Below are a few of my favorite places to start:
ArcGIS
Google Fu - finding related PDFs, documents
Social media
YouTube
Customer websites
Third-party job posting sites
Third-party organizational statistic sites
Let’s take a look at some examples below to demonstrate not only how valuable this information can be but how easily obtainable it is.
Job Postings and Public Resumes
Let's start with job postings. It's amazing what software and hardware information can be found on customer domain-hosted job posting sites. The below was found simply by visiting the customer site > careers > IT / Operational related careers. The customer’s HR/hiring department provided the public with a great spread on their network management suite of tools. This was for a cyber-related role, no less.
Below is another example, this time for a threat hunting role… how meta.
What about employee public resumes? Below we have an example from a current employee’s resume posted on LinkedIn. This employee works in the SCADA engineering group at this customer and provides us with some very specific relays we might expect them to use in their environment plus what software suite was used to configure them.
Operational Technology Data and Environments
What about industry-wide data? Luckily a lot of ICS sector information is visualized using ArcGIS online.
Our final example below comes from my personal favorite - YouTube. I’ve blurred out the data points on the HMI itself but this was posted by the customer, providing insight into specific data points that are normal for their environment, what an operator is used to looking at, and HMI software. The number of plant tours that are shared by newscasting stations, rogue employees, and the customers themselves, educating the public on how their water is cleaned, how the electric grid works, etc., are priceless. Education is always important and should not necessarily be hindered but when a member of critical infrastructure allows visibility into their environment there must be precautions put in place.
Let’s Keep the Lights On
I'll wrap up here by telling you what I tell our customers: If we can find it, anyone can. We must address the elephant in the room, so what?
We have to hire people who have a specific set of skills, we need some of this information in our job postings.
We can’t control what past employees choose to share on their LinkedIn profiles.
These questions seek to confront the classic gray area of security vs accessibility and the answer could be a book in and of itself. In brief, hiring and operational security is a gray area - this must be evaluated on a case-by-case basis. The public understanding of how the customer provides products and services, on the other hand, is a gray ocean - this too must be evaluated on a case-by-case basis.
At the end of the day, the goal remains the same: Let’s keep the lights on.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of their present or previous employers.
Great article. I have been working in OT for about a year now, and I’m not very familiar with OSINT, which is definitely something that I want to learn more about. Thanks for sharing